Peloton is having a rough day. First, the company recalled two treadmill models after the death of a 6-year-old child who was pulled under one of the devices. Now comes the news that Peloton has exposed sensitive user data even after the company became aware of the leak. No wonder the company’s stock price fell 15 percent on Wednesday.
Peloton offers a line of network-connected exercise bikes and treadmills. The company also offers an online service that allows users to take classes, work with trainers, or do training with other users. In October, Peloton told investors it had a community of 3 million members. Members can set accounts as public so that friends can view details such as lessons attended and training stats, or users can choose to keep profiles private.
I know where you exercised last summer
Researchers at security consultancy Pen Test Partners reported on Wednesday that a flaw in Peloton’s online service made data for all of its users available to anyone anywhere in the world, even if a profile was set to private. All it took was a little knowledge of the faulty programming interfaces Peloton uses to transfer data between devices and the company’s servers.
Data uncovered included:
- User IDs
- Instructor IDs
- Group Membership
- Training Statistics
- Gender and Age
- Whether they are in the studio or not
Ars agreed to make another piece of personal data public because Peloton is still trying to secure it.
A blog post published by Pen Test Partners on Wednesday said the APIs did not require authentication before providing the information. Company researchers said they reported the exposure to Peloton in January and received confirmation immediately. Then, according to Wednesday’s post, Peloton went silent.
Slow response, failed solution
Two weeks later, the researchers said, the company quietly offered a partial solution. Instead of providing the user data without any authentication, the APIs made the data available only to those who had an account. The change was better than nothing, but everyone who subscribed to the online service still got another subscriber’s private data.
When Pen Test Partners informed Peloton about the inadequate solution, they said they received no response. Pen Test Partners researcher Ken Munro said he went as far as looking up business leaders on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it.
“At this point I was pretty pissed off, but I thought it was worth one last chance before dropping a 0 day on Peloton users,” Munro told me. “I asked Zack W to contact their news agency. It had a miraculous effect – within hours I had an email from their new CISO, who was new to the position and had researched, found their rather weak response and had a plan to fix the bugs.”
A Peloton representative declined to discuss the timeline on the record, but did provide the following standard response:
Keeping our platform secure is a priority for Peloton and we are always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he could access our API and see information available on a Peloton profile. We took action and addressed the issues based on his initial submissions, but we were slow to keep the researcher informed of our recovery efforts. In the future, we will do better to collaborate with the security research community and respond more quickly when vulnerabilities are reported. We would like to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.
The incident is the latest reminder that data stored online is often available for free, even when companies say it isn’t. This puts people on the line. On the one hand, sharing weight, exercise stats and other data can often help users get the most out of training sessions or group workouts. On the other hand… well, you know.
I generally try to falsify or leave incomplete much of the data I provide. Most of the services I use that require a credit card will approve purchases just fine, even if I provide a fake name, address, and phone number. Not having those details on usernames or other data can often minimize the sting of a data breach like this.
Update: I wasn’t clear in the last paragraph so I’ll try again. Sites generally have two places where they ask for your information. One set is saved with the user account information. The other is used by the billing processor. For example, my Amazon account lists my name as Dang. But when I gave my credit card information, I obviously did not provide a false name.
The same goes for HBO Max. There is an account information tab and there is a billing information tab. I see no reason why I should enter my real or full name in the account tab. For obvious reasons, I don’t falsify the information on the Billing tab. That said, I can often get away with providing incomplete information when providing billing information. For example, the billing section of many sites allows me to enter only my street name, but not my house number, and only the initials of my first and last name.
My reason for all this: Sites generally store account and billing information in separate buckets, and the bucket with the billing information seems more secure. Internet companies have a terrible track record of securing user data. The less they have about me, the better. I hope these additional details better explain how and why I do this.