Peloton is having a rough day. First, the company recalled two treadmill models following the death of a 6-year-old child who was pulled under one of the devices. Now comes word Peloton exposed sensitive user data, even after the company knew about the leak. No wonder the company’s stock price closed down 15 percent on Wednesday.
Peloton provides a line of network-connected stationary bikes and treadmills. The company also offers an online service that allows users to join classes, work with trainers, or do workouts with other users. In October, Peloton told investors it had a community of 3 million members. Members can set accounts to be public so friends can view details such as classes attended and workout stats, or users can choose for profiles to be private.
I know where you worked out last summer
Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.
Data exposed included:
- User IDs
- Instructor IDs
- Group Membership
- Workout stats
- Gender and age
- If they are in the studio or not
Ars agreed to withhold another piece of personal data exposed because Peloton is still working to secure it.
A blog post Pen Test Partners published on Wednesday said that the APIs required no authentication before providing the information. Company researchers said that they reported the exposure to Peloton in January and promptly received an acknowledgement. Then, Wednesday’s post said, Peloton went silent.
Slow response, botched fix
Two weeks later, the researchers said, the company silently provided a partial fix. Rather than providing the user data with no authentication required at all, the APIs made the data available only to those who had an account. The change was better than nothing, but it still let anyone who subscribed to the online service obtain private details of any other subscriber.
When Pen Test Partners informed Peloton of the inadequate fix, they say they got no response. Pen Text Partners researcher Ken Munro said he went as far as looking up company executives on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it.
“I was pretty pissed by this point, but figured it was worth one last shot before dropping an 0-day on Peloton users,” Munro told me. “I asked Zack W to hit up their press office. That had a miraculous effect – within hours I had an email from their new CISO, who was new in post and had investigated, found their rather weak response and had a plan to fix the bugs.”
A Peloton representative declined to discuss the timeline on the record but did provide the following canned response:
It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.
The incident is the latest reminder that data stored online is often free for the taking, even when companies say it isn’t. This puts people in a bind. On the one hand, sharing weight, workout stats, and other data can often help users get the most out of training sessions or group workouts. On the other… well, you know.
I generally try to falsify, or leave incomplete much of the data I provide. Most of the services I use that require a credit card will approve purchases just fine even when I supply a false name, address, and phone number. Not having those details attached to user names or other data can often minimize the sting of a data leak like this one.
Update: I wasn’t clear in the last paragraph, so I’ll try again. Sites generally have two places where they ask for your information. One set is stored with the user account details. The other is used by the billing processor. My Amazon account, for instance, lists my name as Dang. But when I provided my credit card details, I obviously didn’t provide a false name.
The same goes for HBO Max. There’s a tab for account info, and there’s a tab for billing info. I see no reason why I should enter my real or full name in the account tab. For obvious reasons, I don’t falsify info in the billing tab. That said, I can often get away with providing incomplete info when providing billing info. For instance, the billing section of many sites allows me to provide only my street name but not my house number, and only the initials of my first and last name.
My rationale for all of this: Sites generally store account data and billing data in separate buckets, and the bucket holding the billing data seems to be better secured. Internet companies have a terrible track record of securing user data. The less they have about me the better. I’m hoping these additional details better explain how and why I do this.