The Cybernews research team has uncovered data leak involving Fitify, a popular fitness app with over 25 million installs globally. Researchers discovered that 373,000 sensitive user files — including 138,000 progress photos — were stored in a publicly accessible Google Cloud bucket — with no password protection or encryption at rest, meaning anyone could access them.
Among the leaked files were:
- 206,000 user profile photos
- 138,000 progress pictures uploaded by users to track fitness changes
- 13,000 AI coach message attachments, which may include images or text
- 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture)
Key research highlights
- Many of the exposed photos were semi-nude body scans, captured by users trying to document weight loss or muscle growth.
- Fitify promises encryption in transit, but the lack of basic access controls poses serious privacy risks.
- Researchers also found hardcoded secrets embedded in the app’s code — including Google API and Client IDs, Firebase database URLs, Facebook tokens, and even an Algolia API key, which wasn’t disclosed in the privacy policy.
- These exposed credentials could let attackers access backend infrastructure, impersonate users, or inject malicious content.
To read the full research report and see samples of screenshots, please click here.
Like this:
Like Loading...
Related
This entry was posted on July 16, 2025 at 10:05 am and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
iOS Fitness app Fitify exposes 138K user private photos
The Cybernews research team has uncovered data leak involving Fitify, a popular fitness app with over 25 million installs globally. Researchers discovered that 373,000 sensitive user files — including 138,000 progress photos — were stored in a publicly accessible Google Cloud bucket — with no password protection or encryption at rest, meaning anyone could access them.
Among the leaked files were:
Key research highlights
To read the full research report and see samples of screenshots, please click here.
Share this:
Like this:
Related
This entry was posted on July 16, 2025 at 10:05 am and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.