Peloton’s API was leaking users’ private data, but it didn’t tell about its users until a researcher reached out to a cybersecurity journalist for some help.
Peloton is a maker of connected smart stationary bikes and treadmills that launched with help from a Kickstarter campaign in 2013.
On top of the privacy leak, Peloton announced it is recalling all its Internet-connected treadmills after the bikes were linked to 70 injuries and the death of a child.
The company’s CEO also admitted that it had been wrong to have refused the Consumer Product Safety Commission’s request to pull the equipment off the market when the CPSC warned consumers to stay off the Peloton Tread+.
In a new twist to the troubled Peloton story, a Pen Test Partners security researcher Jan Masters found Peloton users’ private profile, age, city, or workout history popped up in a screenshot while they’re working out on bikes. When this happened to TechCrunch’s Zack Whittaker last week, he worked with Pen Test Partners to get Peloton’s attention.
Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers. As he explained in a post, the leaky API allowed any random internet user to make an unauthenticated request for account data to the API.
The exposed private details include:
- User IDs
- Instructor IDs
- Group Membership
- Workout stats
- Gender and age
- If they are in the studio or not
Peloton has more than 3 million subscribers, one of those members is reportedly President Joe Biden, as we reported a month ago.
Jason Kent, Hacker in Residence at Cequence Security, told Threatpost “We are in for a wild ride of API-driven breaches.”
He says misconfigured APIs are a big problem, one that does not get needed attention.
“It’s the plumbing that enabled the leak, and the resulting leak is the ‘news.’” And the API problem doesn’t get as much coverage according to him. But as we see more leaks, Kent believes we’ll see more attention paid to these vulnerabilities.
Bad actors can use the leaked data tp perform an array of bad activities.
“They could also build fake profiles, execute fake account creation attacks on other apps, look for their username in other apps, use the data in automated attacks,” Kent said. “Personal data is the critical element in building out cyber attacks – the other two are infrastructure and tools.”
The only way to plug the dam is to stop putting everything on the Internet, according to Kent.