Peloton security flaw let attackers grab sensitive user data

The vulnerability has since been fixed, but it took time.

Ezra Shaw/Getty Images

Even your exercise equipment isn't immune to security issues. TechCrunch reports that Pen Test Partners' Jan Masters discovered a Peloton security flaw that let attackers grab sensitive data, including user info (such as age and weight), location and workout stats. The researcher found that you could make unauthenticated requests to Peloton's programming interface to get someone's data, whether or not they'd set their account private.

The issue has since been fixed, but only after an extended period. Masters said he privately disclosed the flaw on January 20th, but didn't get a response until he reached out to the media 90 days later (as is custom with security disclosures). Peloton quietly issued a half-fix on February 2nd that only limited access to authenticated users — anyone with a membership could still spy on your info. It wasn't until after media contact that Peloton "largely" fixed the issue within a week.

It's not clear if any attackers exploited the security hole.

The company is ready to change its ways, at least. Spokesperson Amelise Lane told TechCrunch in a statement that Peloton was "slow to update" Masters about its efforts to fix the vulnerability. The company would strive to "work collaboratively" with security researchers in the future, Lane added.

There's a good chance your data was untouched. However, this underscores the importance of securing fitness data. The incident also illustrates the importance of making genuinely responsive vulnerability disclosure and bug bounty programs. It's not enough to have security experts submit issues into a black box — they need to know that the company is aware of its shortcomings and applying meaningful fixes.