A flaw in Peloton’s online service exposed sensitive users' data, making it available to anyone on the internet, even if a profile was set to private, Jan Masters, a security researcher at Pen Test Partners, has found.
Peloton makes network-connected stationary bikes and treadmills and also provides users access to live real-time classes and sessions with a coach, as well as classes for treadmill, yoga, and outdoor running.
Masters discovered that he could make unauthenticated requests to Peloton’s application programming interface (API), for user account data without it checking whether the person was allowed to request it.
The exposed information included user IDs, instructor IDs, group membership, workout stats, gender and age, weight, and if a user is in the studio or not.
The researcher said he contacted Peloton over the API bug in January and promptly received a response acknowledging the issue, however, after that the company went silent. At the beginning of February Peloton silently issued a partial fix, which addressed the issue by making user data available only to authenticated Peloton users. The researchers then informed the company of the inadequate fix but again received no response. The issue was fixed in May after Pen Test Partners directly contacted a new Peloton’s CISO.