6 May 2021

Software bug exposed Peloton users private account data


Software bug exposed Peloton users private account data

A flaw in Peloton’s online service exposed sensitive users' data, making it available to anyone on the internet, even if a profile was set to private, Jan Masters, a security researcher at Pen Test Partners, has found.

Peloton makes network-connected stationary bikes and treadmills and also provides users access to live real-time classes and sessions with a coach, as well as classes for treadmill, yoga, and outdoor running.

Masters discovered that he could make unauthenticated requests to Peloton’s application programming interface (API), for user account data without it checking whether the person was allowed to request it.

The exposed information included user IDs, instructor IDs, group membership, workout stats, gender and age, weight, and if a user is in the studio or not.

The researcher said he contacted Peloton over the API bug in January and promptly received a response acknowledging the issue, however, after that the company went silent. At the beginning of February Peloton silently issued a partial fix, which addressed the issue by making user data available only to authenticated Peloton users. The researchers then informed the company of the inadequate fix but again received no response. The issue was fixed in May after Pen Test Partners directly contacted a new Peloton’s CISO.

Back to the list

Latest Posts

Google fixes yet another Chrome 0Day exploited in the wild

Google fixes yet another Chrome 0Day exploited in the wild

In addition to CVE-2021-30554, Chrome 91.0.4472.114 resolves three high-risk vulnerabilities that allow a remote attacker to compromise a vulnerable system.
18 June 2021
Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

The threat actor deployed the MarkiRAT malware able to steal data and hijack the infected user’s Chrome browser and their Telegram app.
17 June 2021
DarkSide affiliates shift to software supply chain attacks

DarkSide affiliates shift to software supply chain attacks

UNC2465 compromised a website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app.
17 June 2021