Researcher Claims Peloton APIs Exposed All Users Data

A security researcher has discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users.

Pen Test Partners explained in a new blog post that the problem could be traced back to unauthenticated API endpoints, which could have allowed hackers to interrogate  information on all users.

Among the potentially exposed data was user and instructor IDs, group membership, location, workout stats, gender and age, and whether users are in the studio or not.

“The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users,” the security consultancy said.

“A full investigation should be conducted by Peloton to improve their security, especially now that famous individuals are openly using this service.”

The security flaws were so bad that it leaked information even for users in privacy mode, Pen Test Partners claimed.

Peloton has become hugely popular during the pandemic as a way for locked-down consumers to keep fit at home. The firm claims to have over three million subscribers, including famous users such as US President Biden, who probably don’t want their workout stats and location made public.

Unfortunately, Peloton initially appeared to make a few mistakes in its handling of the responsible disclosure.

According to Pen Test Partners: “it acknowledged the disclosure, then ignored me and silently ‘fixed’ one of the issues. The ‘fix’ didn’t fix the vulnerability.”

The security firm was forced to reach out to a journalist months after its initial disclosure to try and start a constructive dialog.

“Shortly after contact was made with the press office at Peloton we had contact direct from Peloton’s CISO, who was new in post. The vulnerabilities were largely fixed within seven days,” it concluded.

“It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to.”

Jason Kent, hacker in residence at Cequence Security, argued that 2021 could be the year of the API attack unless organizations find and properly secure all of their API endpoints.

“The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right. In needing to build an API that allows some users to share information and build community, while respecting those who want privacy by ensuring the data is secure, they have risked all user data,” he added.

“The information might not show in the application itself, but developers and security teams need to also confirm that the APIs themselves conform to the security measures in place.”

What’s Hot on Infosecurity Magazine?