A bug in Peloton’s API may have exposed a whole lot of user data

An old version of Peloton’s API, the software that allows the company’s bikes and recalled treadmills to communicate with its servers, may have exposed private customer profiles, according to a report from TechCrunch. The bug was first spotted by Jan Masters, a security researcher at Pen Test Partners, and reported to Peloton on January 20th, but the company is only just now confirming that the bug has been fixed.

Using Peloton’s API, Masters was able to scrape all sorts of customer information that would typically be private, depending on the individual user’s settings. That includes customer profiles, which can potentially feature their age, location, birthday, and workout history. All Masters had to do was make an unauthenticated request to Peloton’s API and customer data was his. Masters has a more thorough explanation of how the exploit worked on Pen Test Partners’ blog and also summarized his findings in the video below:

After reporting the bug to Peloton, Masters set a 90-day deadline to address the issue. That deadline came and went without Peloton saying whether the API was fixed, which prompted Masters to turn to TechCrunch. Peloton finally responded and shared the following statement with the publication:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

The screens on Peloton’s bikes and treadmills are what make the company’s workout ways so compelling. It’s how subscribers attend classes, track their workouts, and even do other non-bike or treadmill exercises. It’s a feature that Peloton charges $39 per month for an all-access membership to. Yet, like all connected devices, particularly fitness ones, it can leave private customer information more vulnerable than a non-connected stationary bike would.

Masters writes that Peloton apologized and said it resolved a majority of the API issues within a week of his report. What’s not immediately clear is if anyone other than Masters gained access to customer data while the API was in a leaky state.

When The Verge followed up to check, Peloton said it had nothing new to share that it hadn’t already provided TechCrunch and Pen Test Partners. The company also reiterated it responded to the API issue immediately.

Source link

More from author


Please enter your comment!
Please enter your name here

Related posts


Latest posts

Windows 11’s news feed has built-in tipping to support local content creators

Supporting local news sources is suddenly something the tech industry worries about, and with Windows 11, Microsoft is adding integration with...

UK carrier EE introduces EU roaming charges following Brexit

UK carrier EE is introducing roaming charges for customers traveling to almost all EU countries from January next year, BBC News...

Google delays blocking third-party cookies in Chrome until 2023

Google is announcing today that it is delaying its plans to phase out third-party cookies in the Chrome browser until 2023,...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!