Newly Patched Peloton API Flaws Exposed Users' Private DataPen Test Partners: Millions Could Have Had Data Exposed
Security researchers say API flaws could have exposed the private data of millions of Peloton fitness equipment online service users for months before they were recently patched.
The vulnerability issues emerged the same week that Peloton announced the voluntary recalls of two of its treadmills due to serious safety concerns.
In a blog posted Wednesday, security consultancy Pen Test Partners says that in January its researchers notified Peloton via its vulnerability disclosure site about flaws in an endpoint API.
The flaws could allow unauthenticated individuals to view sensitive information for all Peloton users, including snooping on live class statistics, even when users chose private mode settings for their account profiles, Pen Test Partners says.
"Peloton has two different privacy settings: 'private profile' and 'hide my age and gender,'" the blog notes. "'Private profile' restricts users from viewing your profile, and 'hide my age and gender' does that in online classes. Having a private profile does not protect all of your data when using Peloton’s classes."
The private information of Peloton users that was potentially exposed includes user IDs, instructor IDs, group membership, location, workout stats, gender and age, the Pen Test Partners researchers say.
"The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users," the researchers say.
The Pen Test Partners blog notes that Peloton acknowledged the firm's vulnerability disclosure submission but then "ignored" the researchers and quietly "fixed" one of the issues in February. Peloton's initial correction did not fully solve the problem, the researchers say. After that fix, user data was still accessible "to all authenticated Peloton users," the blog notes.
Pen Test Partners recently asked a journalist to contact the fitness gear maker about the issues, and by Wednesday, "the vulnerabilities were largely fixed," the researchers write in the blog.
In a statement provided to Information Security Media Group, Peloton acknowledged that it implemented a partial fix for one of the reported issues when it received the initial report from the security researchers.
"As of this week, we have implemented fixes to the rest, and we are still in discussions with the researcher to hear his feedback on the solutions we’ve implemented," Peloton says. "Going forward, we will do better to respond more promptly to security researchers who report vulnerabilities under our coordinated vulnerability disclosure program."
Peloton did not address ISMG's request for other information, including the number of individuals whose data was potentially exposed.
Pen Test Partners researcher Ken Munro tells ISMG that three problems were identified in the Peloton APIs.
"First, the GraphQL API endpoints weren’t initially checking that the [query] request was from an authorized user. By enforcing authorization, this problem was partly solved," he says.
"Second, even when partly resolved, requests to those endpoints were disclosing data from other users than the one intended," he says. "Again, stronger request authorization finally resolved this. API request authorization is a very common problem: Developers should ensure that the user making the request is the one that is intended to have access to that information."
The third issue, Munro says, "was that privacy settings weren’t being respected by the platform. A user turned on privacy settings, but they weren’t effective when one joined an online class."
Munro notes that his firm has identified similar security issues on other fitness devices, including running and biking apps.
Millions of Subscribers
Peloton has more than 4.4 million members, including nearly 1.7 million connected fitness subscribers, according to its second quarter 2021 shareholder letter.
"Famous figures, such as the president of the United States, use Peloton," the Pen Test Partners blog notes.
The New York Times in January reported that prior to being inaugurated, the prospect of Biden's use of his Peloton bike in the White House was raising security concerns - not for the API issue spotlighted by Pen Test Partners but rather because Peloton tablets have built-in cameras and microphones that allow users to see and hear one another if they choose.
It's unclear whether Biden is using his Peloton in the White House with the tablet and connectivity removed, the newspaper reported.
Importance of Testing
The Peloton incident highlights the importance of businesses conducting regular security and vulnerability testing on their software to address any potential leaks or unauthorized exposure of personal data, says regulatory attorney Ashley Thomas of the law firm Morris, Manning & Martin LLP.
"The Federal Trade Commission has signaled that organizations should begin to incorporate vulnerability disclosure programs in their business practices," she notes.
The FTC has indicated that the failure to maintain an adequate process for receiving and addressing security vulnerability reports from outside security researchers and consultants could potentially be considered an unreasonable practice in violation of Section 5 of the FTC Act, she adds.
Any time personal information about an individual is inappropriately disclosed, "there is the potential for the disclosure to be harmful," says privacy attorney Sheila Sokolowski of law firm Hintze Law PLLC.
"While many people who use these types of apps and devices are happy to share their personal information, not everyone is," she says. "It depends on each individual’s circumstances, which can, of course, change over time."
Other reports of lax security in fitness apps and wearable devices have emerged.
For example, Strava, a fitness tracking mobile app, inappropriately released a heat map showing the physical movements of its users from around the world as a result of the app accessing a user’s mobile phone GPS to track when and where the user was exercising.
"This included individuals in the military. By analyzing this heat map, one could easily discover commonly used exercise routes or patrolled roads from military bases in combat zones in Afghanistan, Iraq and Syria," Thomas says.
Not long after that discovery, the Department of Defense released a new policy prohibiting the use of GPS functions in deployed locations, she notes.
"Security vulnerabilities in fitness apps and wearables can present privacy and real safety concerns to individual users," Thomas adds.
"It is rare that a company will try to mislead a user, but in the rush to market, sometimes technological or design mistakes can be made," Sokolowski says. "The technology and privacy design are complicated. When mistakes are made, companies need to responds in a timely and responsible way."