Peloton security flaw let attackers grab sensitive user data

The vulnerability has since been fixed, but it took time.

Sponsored Links

Jon Fingas
May 5, 2021 1:24 PM
SAN ANSELMO, CALIFORNIA - APRIL 06: Cari Gundee rides her Peloton exercise bike at her home on April 06, 2020 in San Anselmo, California.  More people are turning to Peloton due to shelter-in-place orders because of the coronavirus (COVID-19). Peloton stock has continued to rise over recent weeks even as most of the stock market has plummeted. However, Peloton announced today that they will temporarily pause all live classes until the end of April because an employee tested positive for COVID-19.  (Photo by Ezra Shaw/Getty Images)
Ezra Shaw/Getty Images

Even your exercise equipment isn't immune to security issues. TechCrunch reports that Pen Test Partners' Jan Masters discovered a Peloton security flaw that let attackers grab sensitive data, including user info (such as age and weight), location and workout stats. The researcher found that you could make unauthenticated requests to Peloton's programming interface to get someone's data, whether or not they'd set their account private.

The issue has since been fixed, but only after an extended period. Masters said he privately disclosed the flaw on January 20th, but didn't get a response until he reached out to the media 90 days later (as is custom with security disclosures). Peloton quietly issued a half-fix on February 2nd that only limited access to authenticated users — anyone with a membership could still spy on your info. It wasn't until after media contact that Peloton "largely" fixed the issue within a week.

It's not clear if any attackers exploited the security hole.

The company is ready to change its ways, at least. Spokesperson Amelise Lane told TechCrunch in a statement that Peloton was "slow to update" Masters about its efforts to fix the vulnerability. The company would strive to "work collaboratively" with security researchers in the future, Lane added.

There's a good chance your data was untouched. However, this underscores the importance of securing fitness data. The incident also illustrates the importance of making genuinely responsive vulnerability disclosure and bug bounty programs. It's not enough to have security experts submit issues into a black box — they need to know that the company is aware of its shortcomings and applying meaningful fixes.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget