Peloton is having a pretty bad week. First it was forced to recall its range of treadmills over serious safety concerns, and issue an apology for refusing to act quicker. Now it has emerged that the company has also failed to safeguard user data, some of which is highly personal.
The security failure was highlighted by TechCrunch, which received information regarding the journalist’s own Peloton account that was set to private. The security researcher was able to access Peloton’s API, which is the system through which apps and devices can connect to Peloton’s servers. The API was happy to present this information without authentication.
Once told by the security researcher that its API was spewing private information all over the internet, the company restricted equipment to only connect with requests that provided valid Peloton accounts. This still allowed anyone who was prepared to pay for an account to access the data.
Peloton’s systems hold information on a user’s age, gender, weight and workout statistics. After basically ignoring the report from the security researcher, it was only when TechCrunch asked for comment that the loophole was closed. There was some additional concern over the leaky API, as Peloton counts President Joe Biden among its customers.
Pen Test Partners, which discovered the API problem, has also published its findings, along with screenshots of the API responses. It’s notable that along with the personal information, an Amazon AWS instance holds profile pictures for members which have uploaded them. This appears to use the account’s username for the photo too, which would make it very easy to access.
The problem has now been completely fixed and API access is no longer available either without authentication, or with basic subscriber credentials.
Peloton told TechCrunch, “Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.”