Peloton Has 99 Problems And Data Leakage Is One Of Them

Peleton is having a bad day today. Today Peloton recalled all their treadmills after reported injuries and a death. But they also have a data privacy issue on their hands. Zack Whittaker who is reporting for TechCrunch details the issue:

Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data. My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private. Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.) But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private. Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public. But that deadline came and went, the bug wasn’t fixed and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report.

That’s a total #Fail. Peloton really is dropping the ball here. But that’s not how the company sees things:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

If you want the technical details, the guy who found this issue put up a blog post explaining the vulnerabilities. But let’s be clear, Peloton has to do much, much better than this. They really need to assure their users that their personal information isn’t able to be grabbed and sold on the dark web or something. Without that trust, there’s zero reason for anyone to trust this company or buy their products. Ever.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: