The latest in NEWS, RESOURCES and JOBS

Lower the TCO of your legacy data wareho
  • Sahriar Shuvo - Tech Journalist

Peloton's API bug could leak secure user data

Peloton fitness bikes received some criticism due to a recent event about the API bug. It is said that the bug is leaking user information and could potentially cause more harm. The threat is not significant at the moment, but where privacy is a concern, it is an important issue. Exposed API has the potential to leak sensitive user information to hackers.

These fitness equipments are connected to the production server that syncs real-time data and shows health information and updates on screen. In an earlier notice, Peloton fitness bikes did the same thing with security exposure. Hackers could quickly gain access to the API and extract both authenticated and unauthenticated customer information. These data can be modified to track specific users.

Generally, customer information contains username, email, contact info, billing address, etc. But for this kind of exposure, user's wellbeing details could also leak. Pen Test Partners investigated the matter thoroughly and sent back relevant news on the bug. According to them, User ID, instructor ID, group membership, location, workout stats, gender & age, inside studio or outside, are the kinds of disclosures. Peloton has 3 million subscribers who use the bike actively and over 1 million connected fitness subscribers, whose data may be compromised.

Bugs related to API can break into several issues like functionality, reliability, security. There are also performance and classification issues. Peloton's API bug is no different. All these data can be easily extracted via API as it can even control which data to sync with the server. That simultaneously shows on the customer display. Peloton users can jam together in online sessions, which gives a sense of working out together like in the gym when they are actually doing it at home. Class data, last location, etc., are still leaking by the API bug.

Ninety days after the bug was reported, we expect Peloton to fix and address the issue as we don't like our data to be shared with outsiders. But through a coordinated vulnerability disclosure program, we learned that some data is still leaking. Experts submitted reports through the CVD program and still working on the issue.

The internet-connected fitness bike with screen became a sensation after launch, and many people chose Peloton over other exercise equipment's. The subscription plan takes a respectable amount beforehand, and there is a monthly subscription package that lets customers join live classes. Classes are held by professionally certified cycling instructors and many other people for a flat rate of $39. Many stay on for more than one classes as they made things exciting within the touch screen, and it's helping people stay in shape the fun way. But the leakage is not to be overseen. Even the white house was supposed to have Peloton's bike for president. But security officials forbid President Biden not to.

Members who kept their account information private may have also been compromised in the data exposure. Peloton's CISO briefed about the flaws in the press as far as we know. Jan Masters, a security researcher at Pen Test Partners, experimented with the API and found out unauthenticated requests can be made, and in response, helpful user data can be mined. API allows the user device to talk to internet and sync with company servers. The bike was doing the same but with potential flaws, and we don't know how long the API has been exposed. Even before making this news public and for their safety, a report was sent to Peloton first. After a 90-day deadline, as we mentioned, the news made it to people. In response to the API request, we can receive customer data discussed previously. On 5th May, Peloton responded that the vulnerabilities were primarily fixed, and it took them seven days. They also mentioned, "It's a shame that our disclosure wasn't responded to on time and also a shame that we had to involve a journalist to get listened to."





Parting the clouds. 

for greater security

Covid-19 has landed CSOs a unique opportunity to embrace web isolation.

Eliminate malware threats with zero trust 

Isolation-powered security provides full protection against email and Web based threats.

7 Customer Service Mistakes Companies Should Avoid Making

2020 was a tumultuous year but it did bring customer service back to the forefront of the business planning agenda for 2021. As you plan and prioritise your initiatives, it is important to avoid mistakes.

Integrating Compliance into Innovation: Taking Control Over Customer Communications

Compliance is one of those areas that is better off unnoticed. When compliance does get attention, it is usually because something has gone wrong and that is something that keeps executives up at night. It is easy to see why. 

Artificial Intelligence Based COVID Signature

Detection Software

The software takes the X-Rays and CT scans in digital format and analyses the X-Ray reports through uploading the images which is followed by detailed report about the patient suffering from COVID19 or similar ailments.

Six Steps to Drive Your

Process Center of Excellence to Success

Find out why yo need a center of excellence - and how save you time and money while improving experiences for both your customers and employees. 

Steps to Deliver Data You Can trust at the Speed of Business

Why trusted data is the key to digital transformation. Discover and cleanse your data. 

Organise data you can trust and empower people

Automate your data pipelines and enable data access.

2021 Threat Report 

Four Key Trends in the Cyber-Threat Landscape.

The security implications of remote working, SaaS takeover, rise of fearware, server side attacks, ransomware and Darktrace immune system.

Safe, inclusive communications for the University of Innsbruck

The open matrix is the foundation for secure, collaborative academic research and learning. Keen to support its learning culture, the university wanted to introduce a real time messaging system. 



to our latest RESOURCES

to keep up to date with the

latest whitepapers