[BreachExchange] Newly Patched Peloton API Flaws Exposed Users' Private Data

[Destry Winant]

https://www.databreachtoday.com/newly-patched-peloton-api-flaws-exposed-users-private-data-a-16534

Security researchers say API flaws could have exposed the private data of
millions of Peloton fitness equipment online service users for months
before they were recently patched.
The vulnerability issues emerged the same week that Peloton announced the
voluntary recalls of two of its treadmills due to serious safety concerns.

In a blog posted Wednesday, security consultancy Pen Test Partners says
that in January its researchers notified Peloton via its vulnerability
disclosure site about flaws in an endpoint API.

The flaws could allow unauthenticated individuals to view sensitive
information for all Peloton users, including snooping on live class
statistics, even when users chose private mode settings for their account
profiles, Pen Test Partners says.

"Peloton has two different privacy settings: 'private profile' and 'hide my
age and gender,'" the blog notes. "'Private profile' restricts users from
viewing your profile, and 'hide my age and gender' does that in online
classes. Having a private profile does not protect all of your data when
using Peloton’s classes."

Data Exposed
The private information of Peloton users that was potentially exposed
includes user IDs, instructor IDs, group membership, location, workout
stats, gender and age, the Pen Test Partners researchers say.

"The mobile, web application and back-end APIs had several endpoints that
revealed users’ information to both authenticated and unauthenticated
users," the researchers say.

The Pen Test Partners blog notes that Peloton acknowledged the firm's
vulnerability disclosure submission but then "ignored" the researchers and
quietly "fixed" one of the issues in February. Peloton's initial correction
did not fully solve the problem, the researchers say. After that fix, user
data was still accessible "to all authenticated Peloton users," the blog
notes.

Pen Test Partners recently asked a journalist to contact the fitness gear
maker about the issues, and by Wednesday, "the vulnerabilities were largely
fixed," the researchers write in the blog.

Peloton's Response
In a statement provided to Information Security Media Group, Peloton
acknowledged that it implemented a partial fix for one of the reported
issues when it received the initial report from the security researchers.

"As of this week, we have implemented fixes to the rest, and we are still
in discussions with the researcher to hear his feedback on the solutions
we’ve implemented," Peloton says. "Going forward, we will do better to
respond more promptly to security researchers who report vulnerabilities
under our coordinated vulnerability disclosure program."

Peloton did not address ISMG's request for other information, including the
number of individuals whose data was potentially exposed.

Flaws Described
Pen Test Partners researcher Ken Munro tells ISMG that three problems were
identified in the Peloton APIs.

"First, the GraphQL API endpoints weren’t initially checking that the
[query] request was from an authorized user. By enforcing authorization,
this problem was partly solved," he says.

"Second, even when partly resolved, requests to those endpoints were
disclosing data from other users than the one intended," he says. "Again,
stronger request authorization finally resolved this. API request
authorization is a very common problem: Developers should ensure that the
user making the request is the one that is intended to have access to that
information."

The third issue, Munro says, "was that privacy settings weren’t being
respected by the platform. A user turned on privacy settings, but they
weren’t effective when one joined an online class."

Munro notes that his firm has identified similar security issues on other
fitness devices, including running and biking apps.

Millions of Subscribers
Peloton has more than 4.4 million members, including nearly 1.7 million
connected fitness subscribers, according to its second quarter 2021
shareholder letter.

"Famous figures, such as the president of the United States, use Peloton,"
the Pen Test Partners blog notes.

The New York Times in January reported that prior to being inaugurated, the
prospect of Biden's use of his Peloton bike in the White House was raising
security concerns - not for the API issue spotlighted by Pen Test Partners
but rather because Peloton tablets have built-in cameras and microphones
that allow users to see and hear one another if they choose.

It's unclear whether Biden is using his Peloton in the White House with the
tablet and connectivity removed, the newspaper reported.

Importance of Testing
The Peloton incident highlights the importance of businesses conducting
regular security and vulnerability testing on their software to address any
potential leaks or unauthorized exposure of personal data, says regulatory
attorney Ashley Thomas of the law firm Morris, Manning & Martin LLP.

"The Federal Trade Commission has signaled that organizations should begin
to incorporate vulnerability disclosure programs in their business
practices," she notes.

The FTC has indicated that the failure to maintain an adequate process for
receiving and addressing security vulnerability reports from outside
security researchers and consultants could potentially be considered an
unreasonable practice in violation of Section 5 of the FTC Act, she adds.

Any time personal information about an individual is inappropriately
disclosed, "there is the potential for the disclosure to be harmful," says
privacy attorney Sheila Sokolowski of law firm Hintze Law PLLC.

"While many people who use these types of apps and devices are happy to
share their personal information, not everyone is," she says. "It depends
on each individual’s circumstances, which can, of course, change over time."

Other Incidents
Other reports of lax security in fitness apps and wearable devices have
emerged.

For example, Strava, a fitness tracking mobile app, inappropriately
released a heat map showing the physical movements of its users from around
the world as a result of the app accessing a user’s mobile phone GPS to
track when and where the user was exercising.

"This included individuals in the military. By analyzing this heat map, one
could easily discover commonly used exercise routes or patrolled roads from
military bases in combat zones in Afghanistan, Iraq and Syria," Thomas says.

Not long after that discovery, the Department of Defense released a new
policy prohibiting the use of GPS functions in deployed locations, she
notes.

"Security vulnerabilities in fitness apps and wearables can present privacy
and real safety concerns to individual users," Thomas adds.

"It is rare that a company will try to mislead a user, but in the rush to
market, sometimes technological or design mistakes can be made," Sokolowski
says. "The technology and privacy design are complicated. When mistakes are
made, companies need to responds in a timely and responsible way."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210507/bdd2b22c/attachment.html>