MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
peloton
Recherche

Peloton's Leaky API Let Anyone Grab Riders' Private Account Data

mercredi 5 mai 2021, 18:51 , par Slashdot
Zack Whittaker, reporting for TechCrunch: Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data. My Peloton profile is set to private and my friend's list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users' private account data directly from Peloton's servers, even with their profile set to private. Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House -- assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton's API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company's servers storing user data.) But the exposed API let him -- and anyone else on the internet -- access a Peloton user's age, gender, city, weight, workout statistics and, if it was the user's birthday, details that are hidden when users' profile pages are set to private. Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public. But that deadline came and went, the bug wasn't fixed and Masters hadn't heard back from the company, aside from an initial email acknowledging receipt of the bug report. In some other Peloton news: Peloton recalls all treadmills after reported injuries, death.

Read more of this story at Slashdot.
rss.slashdot.org/~r/Slashdot/slashdot/~3/g-pq3I9KReg/pelotons-leaky-api-let-anyone-grab-riders-priva...
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Date Actuelle
ven. 29 mars - 15:35 CET