Peleton Under Fire After API Discovered to be Leaking Customer Information
Peleton, a manufacturer and distributer of workout machines that can live-stream workout routines, is under fire after the discovery that their API was leaking their customer’s private data. It was also discovered that the company ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but did not get around to telling the researcher until he reached out to a cybersecurity journalist for some help.
On top of the privacy spill, Peloton is also recalling all treadmills after the equipment was linked to 70 injuries and the death of one child. It also admitted that it had been wrong to refuse the Consumer Product Safety Commission’s request that it pull the equipment: In April, the CPSC warned consumers to stay off the Peloton Tread+, which “poses serious risks to children for abrasions, fractures, and death.”
Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private. As Masters said in a post about the glitch, the leaky API was allowing any user, along with any random internet passersby, to make an unauthenticated request for account data to the API without the API making sure that they had any right to the data. The API enables the bikes to upload data to Peloton’s servers.
The entire list of exposed private details:
- User IDs
- Instructor IDs
- Group Membership
- Workout stats
- Gender and age
- If they are in the studio or not