Peloton’s Leaky API Potentially Exposed Riders’ Personal Information May 6, 2021 06:36 GMT
· Comment
Peloton s Leaky API
According to a report from TechCrunch, an outdated version of Peloton’s API, the program that enables the company’s bikes and recall treadmills to communicate with its servers, might have revealed private customer profiles. Peloton claims to have over 3 million subscribers and over 1 million connected fitness profiles, so the leak may be massive.
Jan Masters, a security researcher at Pen Test Partners, discovered the bug on January 20th and reported it to Peloton, but the company is only now confirming that it has been patched.
Among the data anyone on the internet could access: a Peloton user s age, birthdate, city, gender, weight and workout statistics, all of which can set to be private by a user but were still accessible.
Peloton’s leaky API let anyone grab riders’ private account data
But the company won t say if it has evidence of malicious exploitation.
Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.
My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.
The API that powers Peloton’s bikes and profiles may have exposed customer data to third parties, according to TechCrunch. The API bug has been resolved, but it’s not clear if anyone gained access.