A bug in Peloton’s API may have exposed a whole lot of user data

guest · May 5, 2021

A bug in Peloton’s API may have exposed a whole lot of user data
The bug is fixed, but users’ age, location, and workout history may have been exposed
May 5, 2021
https://www.theverge.com/2021/5/5/22421329/peloton-api-bug-customer-data-exposed

An old version of Peloton’s API, the software that allows the company’s bikes and recalled treadmills to communicate with its servers, may have exposed private customer profiles, according to a report from TechCrunch. The bug was first spotted by Jan Masters, a security researcher at Pen Test Partners, and reported to Peloton on January 20th, but the company is only just now confirming that the bug has been fixed.

Using Peloton’s API, Masters was able to scrape all sorts of customer information that would typically be private, depending on the individual user’s settings. That includes customer profiles, which can potentially feature their age, location, birthday, and workout history.
Click to expand...

All Masters had to do was make an unauthenticated request to Peloton’s API and customer data was his. Masters has a more thorough explanation of how the exploit worked on Pen Test Partners’ blog and also summarized his findings in the video below:

Masters writes that Peloton apologized and said it resolved a majority of the API issues within a week of his report.
When The Verge followed up to check, Peloton said it had nothing new to share that it hadn’t already provided TechCrunch and Pen Test Partners. The company also reiterated it responded to the API issue immediately.
Click to expand...

Pen Test Partners: Tour de Peloton: Exposed user data

Unauthenticated endpoints were present which allowed users to interrogate information.

Peloton says they have > 3 million subscribers, with over 1 million connected fitness subscribers.

Famous figures such as the President of the United States use Peloton.

Peloton acknowledged the disclosure, then ignored me and silently ‘fixed’ one of the issues. The ‘fix’ didn’t fix the vulnerability.

90 days later, we asked a trusted journalist to speak to Peloton on our behalf. This started a constructive conversation and resulted in the vulnerabilities being largely resolved.

Click to expand...

Floyd 57 · May 6, 2021

Lol what, joe biden uses exercise bike and some random app?

The real selling point is the app and subscription services that goes with them. It gives users access to live real-time classes and sessions with a coach, not just for the bike though. They also provide classes for their treadmill, yoga, and outdoor running.

A user can have access to all this for a very reasonable £12.99 a month.
Click to expand...

~Phrase removed.~

Also, it's users' fault for entering personal data. You do not need anything more than age and physical stats for this, why u need to enter real name and location and stuff...

Log in or Sign up

A bug in Peloton’s API may have exposed a whole lot of user data

guest Guest

Floyd 57 Registered Member

Log in or Sign up

A bug in Peloton’s API may have exposed a whole lot of user data

guest Guest

Floyd 57 Registered Member

Useful Searches