14 DAY TRIAL // According to a report from TechCrunch, an outdated version of Peloton’s API, the programing interface that enables the company’s bikes and recall treadmills to communicate with its servers, might have revealed private customer data.
An API allows two devices to communicate over the internet, such as Peloton bikes and the company’s servers that store user data. Peloton claims to have over 3 million subscribers and over 1 million connected fitness profiles, so the leak appears massive.
Jan Masters, a security researcher at Pen Test Partners, discovered the bug on January 20th and reported it to Peloton, but the company is only now confirming that it has been fully patched.
He also discovered that he could make unauthenticated requests to Peloton’s API for user account data without any verification or confirmation of the privileges.
What data was exposed by Peloton’s API?
The exposed API allowed him and anyone else on the internet to view a Peloton user’s age, gender, city, weight, workout statistics, and user’s birthday. Moreover, he could access details that are hidden when users’ profile pages are set to private.
When Masters notified Peloton of the leaky API, he gave them a 90-day deadline to fix the issue, the standard window of time that security researchers give businesses to fix vulnerabilities before details are made public.
However, as the deadline passed, the bug remained unfixed, and Masters received no response from the company other than an initial email acknowledging the bug report. Peloton claim to only give its members access to its API. Even so, this simply meant that everyone could sign up for a monthly membership and regain access to the leaky API.
Peloton spokesperson Amelise Lane provided the following statement: “It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”
There are numerous unanswered questions regarding Peloton' actions. The organization failed to provide an explanation of the lack of feedback despite the repeated requests. It is also unclear if the vulnerabilities were maliciously exploited, such as by mass-scraping account data.