Researcher Claims Peloton APIs Exposed All Users Data
A security researcher has discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users.
Pen Test Partners explained in a new blog post that the problem could be traced back to unauthenticated API endpoints, which could have allowed hackers to interrogate information on all users.
Among the potentially exposed data was user and instructor IDs, group membership, location, workout stats, gender and age, and whether users are in the studio or not.
“The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users,” the security consultancy said.
“A full investigation should be conducted by Peloton to improve their security, especially now that famous individuals are openly using this service.”
The security flaws were so bad that it leaked information even for users in privacy mode, Pen Test Partners claimed.
Peloton has become hugely popular during the pandemic as a way for locked-down consumers to keep fit at home. The firm claims to have over three million subscribers, including famous users such as US President Biden, who probably don’t want their workout stats and location made public.
Unfortunately, Peloton initially appeared to make a few mistakes in its handling of the responsible disclosure.
According to Pen Test Partners: “it acknowledged the disclosure, then ignored me and silently ‘fixed’ one of the issues. The ‘fix’ didn’t fix the vulnerability.”
The security firm was forced to ..