Peloton security bug could expose user data

Exposed API could let hackers access customer data

Peloton bike's wheels with a person's feet on the pedals

A flaw in how Peloton fitness bikes communicate with the company’s servers could have inadvertently allowed anyone to access customers’ private data.

According to investigations carried out by Pen Test Partners, the mobile, web application, and back-end APIs had several endpoints that revealed users’ information to authenticated and unauthenticated users.

Jan Masters, a security researcher at Pen Test Partners, spotted the vulnerability in January. He discovered he could make unauthenticated requests to the fitness firm’s API for account data. According to Masters, there were no checks to ensure he was allowed to request the data.

The exposed API allowed the researcher to access a range of information, such as a user’s age, gender, location, weight, workout stats, and birthday, even when a user makes their profile page private.

Master notified Peloton of his findings via its vulnerability disclosure program in the middle of January with a 90-day deadline to fix the issues. That deadline came and went with Peloton only acknowledging the problem and not fixing it.

In early February, Peloton quietly and partly resolved the unauthenticated API endpoint issue. Still, Masters pointed out this meant user data was now only available to all authenticated Peloton users who had taken out a monthly subscription to the service.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Master then asked for an update, given that Peloton had made a partial fix, but Peloton didn’t respond.

After 90 days, Master contacted a journalist at TechCrunch, who then broke the story. “This started a constructive conversation and resulted in the vulnerabilities being largely resolved,” said Masters.

“A full investigation should be conducted by Peloton to improve their security, especially now that famous individuals are openly using this service,” added Masters.

Since contacting the press, Peloton’s new CISO has remained in contact with him over the flaws. The company fixed most of them in a week.

“It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to,” he added.

The Peloton bike has gained popularity over the years to keep fit at home, especially since the coronavirus pandemic hit the world last year. Earlier this year, President Biden was prevented from bringing his Peloton into the White House over concerns that it could be a security risk. It seems now that those concerns were well-founded.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Wipro launches its cyber security studio in Texas
digital transformation

Wipro launches its cyber security studio in Texas

20 Aug 2021
What is customer identity and access management? 
identity and access management (IAM)

What is customer identity and access management? 

19 Aug 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021