Peloton API Makes Users’ Personal Data Vulnerable

Exercise equipment maker Peloton experienced a data security incident that allowed attackers to obtain the sensitive data of users. The company’s leaky API was reportedly the root of everything, with private information up for grabs on the Internet, according to Tech Crunch.

The security flaw was first discovered by cybersecurity researcher Jan Master from Pen Test Partners, a UK-based security firm. Upon discovering the bug, Master immediately informed Peloton about the incident on January 20, 2021, states The Verge.

The API in question is an outdated version of API being leveraged by the exercise equipment maker. The Verge notes that the API is software that gives Peloton’s bikes and treadmills to connect with its servers.

Peloton Makes Users’ Personal Data Vulnerable

To test the leaky API, Masters checked the capacity to make unauthenticated requests. Following this, he was reportedly able to gain access to the company’s users’ personal data. These include their age, gender, weight, city, and workout statistics.

For individuals whose Peloton profiles are set to private, Tech Crunch states that the compromised API can still pull the user’s birthday.

In addition, the report released by Masters in his blog post on Pen Test Partners also revealed that instructor IDs, group memberships, and whether or not individuals were in the studio or not were also disclosed upon the unauthenticated request.

After reporting the incident to Peloton, Masters gave the company 90 days to address and fix the issue. Although the firm failed to update Masters about the fix, Tech Crunch revealed that the company had already issued a patch for the API.

In a statement, Amelise Lane, Peloton spokesperson said, “It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile.”

“We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues,” continued the Peloton representative.

In addition to the data leak, Peloton also dealt with having to recall their treadmills after a series of injuries and a death of a child. Following this, the company’s stocks took a dive by 14%, reports Tech Crunch.