Peloton’s Leaky API is Hubris Personified — at Least When It Comes to User Personal User Safety and Data Privacy
Futurum Tech Webcast - A podcast by The Futurum Group
Categorie:
The News: Peloton’s leaky API, which exposed private user data, was in the news alongside some other not-so-great news for the fitness brand this last week. The leaky API was first reported by Tech Crunch’s Zach Whittaker, and you can read his story here. Analyst Take: It has most definitely not been a great few weeks for Peloton. With the recall of all Peloton Tread and Tread+ treadmills after the death of a child and some 70+ injuries after the brand first tried to shake off the concerns of the CPSC, and then later admitting it was wrong, Peloton was already in the spotlight. Adding to the Tread disaster is the that the Peloton API is leaking private customer data and it made a bad period for the brand reputation overall. Regarding concerns about the Peloton API, this is an important user data privacy issue. Peloton has a community of some 3 million plus members. When setting themselves up in the Peloton system, members can choose to keep their profiles private or make them public, so that their friends can see their stats, workouts, etc. User profiles also include things like height, weight, age, gender, you know …. personal details. Many users, myself included, prefer to have a private profile. That means you still enter in that information, but you keep your settings private, not public. Easy, right? Except when it doesn’t work. The Peloton API vulnerability was disclosed by Jim Masters, a researcher at Pen Test Partners, a security consulting company and the bug allowed anyone to pull users’ private information directly from Peloton’s servers, even if a profile is set to private. Pen Test reported that the Peloton APIs required no authentication and that the information was simply available for anyone who went looking. This information included things I. mentioned earlier: User IDs, Instructor IDs, Group Membership, Workout Stats, Gender and Age, Height, Weight, and city where the user is located. Pen Test Partners published an article last week stating that they reported the issue to Peloton in January and provided a 90-day deadline to fix the bug. Pretty common operating procedure. Masters got a confirmation from the company that the notice was received. Two weeks later, Pen Test noticed that Peloton executed what they observed was a partial fix and said nothing about it. This partial fix meant fixing the API so that the data was no longer available to anyone, but instead only to anyone with a Peloton account. What? Pen Test Partners tried hard to connect with Peloton about this and were soundly ignored. It was only when Zach Whittaker, writing about the leak for Tech Crunch asked about it that the company decided it was probably a good idea to do something. Jim Masters published a blog post on this issue that he updated on May 5th following a conversation with Peloton’s new CISO who advised the vulnerabilities were mostly fixed within seven days. My colleague Fred McClimans and I covered the leaky Peloton API as part of our Cybersecurity Shorts series of the Futurum Tech Webcast. There’s more to the conversation, so check it out.