Exercise equipment company, Peloton, is facing severe criticism after it failed to protect its users’ personal information. Cybersecurity researcher Jan Masters discovered a vulnerability that allowed anyone to make unauthenticated requests to Peloton’s API and pull users’ activity details and sensitive account data, despite their profiles being on private mode. The servers allegedly exposed sensitive information like user IDs, instructor IDs, group membership, location details, workout statistics, gender, and age.
Peloton provides connected stationary bikes and treadmills that come with cameras, microphones, and tablets attached. Users can live stream fitness classes and communicate with others. The company has more than three million subscribers, making it an attractive target for cybercriminals.
Peloton uses unauthenticated APIs that are vulnerable to Broken Object Level Authorization (BOLA). An unauthenticated attacker could illicitly obtain this personal information simply by querying the API, even of customers who kept their profiles private. While there is no evidence of the misuse of users’ data, the researcher claimed that Peloton acknowledged the security disclosure and fixed the bug.
With a large user base along with celebrities using Peloton services, including President Biden, the security incident could result in a massive data breach. “The mobile, web application and back-end APIs had several endpoints that revealed users’ information to both authenticated and unauthenticated users. This endpoint could have been polled by an unauthenticated user, but the fix now requires a user account, which anyone can self-register to. This still exposes the same data to any other Peloton user. Some of these classes can reach 800+ users at one time, which increases how much data someone could harvest,” Masters said.
Talking to CISO MAG about the security incident, Roshan Piyush, Security Research Engineer at Traceable, said, “It’s very common to see unauthenticated APIs and especially BOLA vulnerabilities. It mostly occurs due to overlooked authentication and authorization protection for the APIs in the development process. Some APIs are left without protections to be integrated with Authorization controllers in API gateways, which is another step for misconfiguration. Unauthenticated APIs are most dangerous as they make it so easy to exfiltrate data, especially if exposing sensitive, PII or PHI. As in the case of Peloton, even members who kept their profile private could have been a victim of an attack. It is yet to be established if there was a misuse.”
“Enterprises must focus on improving API security posture and reevaluating their API security strategies. For an API under development, developers need to seek guidance during the design of the authentication procedures. The goal should be to enforce the security in the design of the authentication procedure by considering human and bot factors.”
In related news, Peloton was forced to recall its treadmills over lack of safety precautions that led to a child’s death. Tread machines sold in the U.K are also being recalled due to faulty display consoles. Peloton CEO John Foley apologized for refusing to act quickly.