Peloton Exercise App API Exposed User Data

Threat researchers had discovered that Peloton exercise products and installed API might have leaked the credentials and private data for millions of users before it was recently patched. 

What Happened?

On the heels of Peloton recalling two of its treadmills due to serious safety issues, last Wednesday Pen Test Partners, an independent security research firm, announced on its blog that they notified Peloton in January about a security flaw in its API. 

Data Breach Today said that “The flaws could allow unauthenticated individuals to view sensitive information for all Peloton users, including snooping on live class statistics, even when users chose private mode settings for their account profiles, Pen Test Partners says.”

The blog goes onto explain that “Peloton has two different privacy settings: ‘private profile’ and ‘hide my age and gender.’ ’Private profile’ restricts users from viewing your profile, and ‘hide my age and gender’ does that in online classes. Having a private profile does not protect all of your data when using Peloton’s classes.”

What is at Risk?

According to the threat researchers, Peloton customers’ user IDs, instructor IDs, locations, group membership details, workout stats, gender, and age is the information that may have been exposed. 

Threat researchers warn that “The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users.”

Alarmingly, Pen Test Partners said that Peloton acknowledged the issue and ignored it but then quietly fixed one of the flaws in February. Even after the initial repair of the API, the data was still available “to all authenticated Peloton users.”

After this second round of fixes, Pen Test Partners assures the public that, for the most part, the issue has been resolved. They had to hire a journalist to start the dialog with Peloton to resolve the issue. Pen Test Partners commented that “It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to.”

Peloton has become very popular during the pandemic as a way for people to keep fit. They have over three million subscribers, including President Biden. 

How Did Peloton Respond?

Peloton reported to Information Security Media Group that “As of this week, we have implemented fixes to the rest, and we are still in discussions with the researcher to hear his feedback on the solutions we’ve implemented. Going forward, we will do better to respond more promptly to security researchers who report vulnerabilities under our coordinated vulnerability disclosure program.”

However, the company denied a public comment and would not speculate how many users’ data was affected.

A hacker and threat researcher at Sequence Security said this about the situation

“The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right. In needing to build an API that allows some users to share information and build community while respecting those who want privacy by ensuring the data is secure, they have risked all user data.”

How Peloton Users Can Stay Safe

Keep all your equipment, firmware, and apps updated to the latest security patches. Keep on top of emerging threats and look for updates to improve security measures. Try to share as little information as possible by limiting permissions and adjusting your privacy and security settings in all apps. 

Others way for users to stay safe are:

• Always use strong passwords.

• Turn on two-factor authentication whenever it is offered.

• Keep antivirus/anti-malware software running on all your devices. 

• Sign up for identity theft monitoring to protect your identity from thieves.