Peloton's Leaky API Let Anyone Grab Riders' Private Account Data (techcrunch.com) 25
Zack Whittaker, reporting for TechCrunch: Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data. My Peloton profile is set to private and my friend's list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users' private account data directly from Peloton's servers, even with their profile set to private. Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.
As Biden was inaugurated (and his Peloton moved to the White House -- assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton's API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company's servers storing user data.) But the exposed API let him -- and anyone else on the internet -- access a Peloton user's age, gender, city, weight, workout statistics and, if it was the user's birthday, details that are hidden when users' profile pages are set to private. Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public. But that deadline came and went, the bug wasn't fixed and Masters hadn't heard back from the company, aside from an initial email acknowledging receipt of the bug report. In some other Peloton news: Peloton recalls all treadmills after reported injuries, death.
As Biden was inaugurated (and his Peloton moved to the White House -- assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton's API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company's servers storing user data.) But the exposed API let him -- and anyone else on the internet -- access a Peloton user's age, gender, city, weight, workout statistics and, if it was the user's birthday, details that are hidden when users' profile pages are set to private. Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public. But that deadline came and went, the bug wasn't fixed and Masters hadn't heard back from the company, aside from an initial email acknowledging receipt of the bug report. In some other Peloton news: Peloton recalls all treadmills after reported injuries, death.
Does it have a remote? (Score:2)
Depending on how authentication is handled, and there appears to be none, this could be a very hard bug to fix.
Re:Does it have a remote? (Score:4, Funny)
Sounds like there's no authentication/authorization at all, probably not even Bearer-Token in the headers. Open wide to toy with. Excellent design.
Re: (Score:2)
Re: (Score:2)
A much better solution would be one or two optical sensors behind and under the machines.
Ya, but many people have treadmills because they're not ready to have optical sensors behind and underneath ... :-)
Re: (Score:2)
fantastic.
a dark net app that demonstrates just what a lazy bum i truly am.
and lets put it on a facebook page.
a list of people that actually use the peloton.
and my name is will not be on that list.
this is social shaming
Re: Does it have a remote? (Score:1)
That would explain why kids end up under a running machine, unsupervised.
Right, because dangerous hardware and stupid parents aren't already an effective combination.
On another note, make sure you don't have kids.
An API allows two things to talk to each other (Score:4, Funny)
This is the sort of tech information I can only get from slashdot.
Re: (Score:2)
Technically TechCrunch is responsible for the fantastic writing. Slashdot is responsible for the plagiarism.
Re: (Score:2)
Re: (Score:2)
Re: An API allows two things to talk to each other (Score:1)
Re: (Score:2)
So it's like a series of tubes connected to each other?
Aren't these not solved problems? (Score:2)
I am not a software dev so I cannot speak from experience but is this not something that has been sorted out today? You have a device which has data you want to get into your platform, are there not the tools available, many for free that make this dare I say a little trivial, not to minimize the work devs and security experts put into what they do, but I am curious if the opinion of something like this is Peloton doing startup nonsense of trying to re-invent the wheel for no reason besides to have somethin
Re:Aren't these not solved problems? (Score:4, Insightful)
Re: (Score:2)
A great value! (Score:5, Funny)
When you install a Peloton treadmill, you can now proudly announce to the WHOLE WORLD, "Hey! I spent $1800, used it two times, now I use it to dry clothes!"
Not a good day for Peloton (Score:2)
Along with this problem, there is the ongoing problem with people getting injured on their treadmills: https://www.cnn.com/2021/05/05... [cnn.com]
Makes me wonder about the company and their attention to looking after their customers.
Re: (Score:2)
The real question is why young children were playing with it unsupervised.
Discovered (Score:3)
Thought the title was for Japanese Subway Groping (Score:1)
I read it as: Peloton's Leaky API Let Anyone Grab Riders' Privates / Asses Data
When I got to data, I had to slow down and reread.
Shocked (Score:2)
I'm amazed that a shabby bunch of nobodies with no IT background wanting to sell overpriced stationary bikes to the vain and the insecure would not have employed top-level developers with backgrounds in online security while trying to shovel as many units out the door before the pandemic ends.
I mean, who can you trust?
Bogus Data (Score:2)
At least it didn't let anyone (Score:2)
grab riders' private parts.