Peloton security flaw would have let anyone access user data
Exposed API allowed unauthenticated users to gain access to Peloton customer data
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
One of the best things about owning aPeloton Bikeis the fact that your workouts are private but earlier this year a security researcher discovered that it was possible to make unauthenticated requests to the company’s API to gain access toPelotonusers' account data.
Security researcher Jan Masters at the UK-based security firmPen Test Partnersfirst began looking at the at-home fitness brand’s security right around the time that President Biden was inaugurated and revealed that he planned to bring his Peloton Bike to the White House. However, at the time, cybersecurity experts warned that doing so could pose a risk to national security and now it appears that they may have been right.
During his investigation, Masters discovered that as a result of Peloton’sexposed API, he could access the user IDs, instructor IDs, group membership, location, workout stats, gender and age of users of the company’s online membership program from its servers even if they had their profile set to private.
In mid-January, Masters reported his findings to the company and gave them a90-day disclosure deadline, as is the industry standard, to patch the bug that allowed unauthenticated users to access the account data of Peloton users.
Exposed API
When the 90-day deadline had come and gone with just an email from Peloton acknowledging that it had seen thebug report, Masters then decided to reach out toTechCrunchwhich first broke the story.
While the company didn’t fix the initial bug, it did restrict access to its API to its members. However, this meant that anyone could have signed up for amonthly digital membershipfor just $12.99 and accessed the API as well as Peloton user account data.
In the time since though, Peloton has confirmed withTechCrunchthat the vulnerability is now fixed.TechRadar Proalso reached out to the company and a Peloton spokesperson explained how it plans to work more closely with security researchers through its Coordinated Vulnerability Disclosure program going forward, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”
ViaTechCrunch
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Quordle today – hints and answers for Friday, November 8 (game #1019)
