Open API at exercise equipment company Peloton exposed private user data
Interactive exercise equipment company Peloton Interactive Inc. has suffered a potential data breach after it was discovered that its application programming interface exposed user data including private accounts.
The revelation came on the same day the company was forced to recall two of its treadmills following the death of a six-year-old child. The API vulnerability was discovered by Jan Masters, a security researcher at Pen Test Partners LLP and first reported today by TechCrunch.
The unsecured API is said to have allowed anyone to gain access to private account data directly from Peloton’s servers. Accessible data included age, gender, city, weight, workout statistics and where available birthday as well.
Exposing user data via APIs is not uncommon, as an incident involving Experian plc earlier this week showed. But where this story takes a twist is that Peloton was informed of the exposure in January and didn’t sufficiently act on it. Masters reported the exposure Jan. 20 with a 90-day deadline to fix the issue before going public, a standard window time that security researchers typically give companies.
Instead of shutting down the exposure, Peloton instead is said to have restricted API access to its members only. While restricting broad access to all and sundry, access was still available to anyone who signed up to Peloton with a monthly membership. Peloton has since said that it has shut down that path of access as well.
“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community,” a spokesperson for Peloton said. “Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.”
“One of the biggest trends sparked by COVID, Peloton, is now realizing the impact fast growth can have if you don’t take appropriate security measures into account,” Jason Kent, hacker in residence at API security software company Cequence Security Inc., told SiliconANGLE. “With 4.4 million members on the platform, the company’s foundation is in building a workout community no matter where users are — allowing friends, family members and even strangers to exercise ‘together’ while being apart in these uncertain times. But in doing so, have they put the community at risk?”
The problem, he added, is that API security is stuck in a web security paradigm of a decade ago, so many of the same flaws that have been fixed in other situations are still present in APIs. “Experian, John Deere and now a major consumer brand have been breached within the last month via their APIs because of immaturity in the way security on APIs is being handled,” he said.
Michael Isbitski, technical evangelist at API security firm Salt Security Inc., noted that often organizations build or integrate APIs without fully considering the potential abuse cases.
“Organizations must protect the APIs monitoring consumption continuously in order to take such malicious activity as content scraping or authorization bypasses,” Isbitski said. “API security issues can also expose organizations to regulatory penalties, since many standards and legislation, including GDPR and CCPA, explicitly define types of PII that must be protected. This includes phone numbers and account identifiers. Even seemingly innocuous types of data can be combined to uniquely identify individuals and impact privacy.”
Photo: Steve Jurvetson/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.