Peloton’s poor protections

Posted by

Unauthenticated access to User Data is a pretty big error. Peloton left an API exposed that did exactly that. Actually, they did so with at least three. 

“Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.

My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.”

Zach Whitaker who writes on Cyber Security for Tech Crunch posted this concerning snippet at the beginning of his story

The write-up of the detail of the exposure by the researchers at Pen Test Partners enumerates three separate issues. 

  • Issue 1: Class Information Snooping
  • Issue 2: User Search Feature
  • Issue 3: Unauthenticated GraphQL Endpoint

Each of these represent separate API endpoints through which real user data could be accessed without authentication – even if the user had set their profile to “private.” 

The researchers go on to describe what should really be a fourth issue, the lack of responsiveness from Peloton until they involved a journalist. Finally after that point they gave kudos: 

“In fairness to Peloton they took it on the chin, thanked us, and acknowledged their failures in the process. I wish all vendors were so honest and grateful.”

But as a peloton user, I find myself wondering about the much more sensitive data that Peloton could have access to – beyond the mere profile data revealed in this research. What about high fidelity location for those that track their runs? What about video and audio access on the tablets of the android tablets on the bikes that many people keep in their bedrooms or offices? 

Just because those haven’t been revealed here doesn’t mean they’re properly secured or considered.

Until Businesses recognize that data, and especially PII data properly belongs to the creators of the data, usually the end users directly, and take steps to properly empower them to secure and own that data this will continue. Privacy means being empowered to share or not share your own information with whom you choose. Rownd is built to allow any business to quickly and securely empower their end users, their data owners, to make these decisions for themselves.