A security researcher recently discovered that he could send unauthenticated requests to Peloton’s Application Programming Interface (API), exploiting a leak of private Peloton member data, including age, gender, and location.
Since being founded in 2012, Peloton has built its connected fitness brand around community — one that has garnered over 3 million members to date. This includes celebrities, professional athletes, and even POTUS.
If the secret service did end up allowing President Biden to bring his Peloton into the White House, some personal data may have already been compromised.
A potential Peloton data leak
According to a report by TechCrunch, security researcher at Pen Test Partners, Jan Masters, first discovered the Peloton data leak. Masters found he could send unauthenticated requests to Peloton’s API without the interface confirming Masters was authorized to request such private data.
API’s help various program interfaces communicate with one another through the internet, thus helping two different systems share data with one another more seamlessly. Unfortunately for Peloton, this leaky API allowed Masters, and anyone else for that matter, to gain access to private member data fairly easily.
This included Peloton members’ age, gender, location, and other workout statistics, such as whether an instructor or member was present in a studio. Most of these details can be shared if a member chooses to allow it but are supposed to be hidden when the profile page is set to private.
Pen Test Partners reported the issue to Peloton on January 20 and allowed the company the standard 90 days to fix the bug before going public. Other than acknowledging it had received the report, Peloton allowed the 90 days to pass without fixing the data leak.
Instead, it limited API access to Peloton members only, which is like closing the front door but not locking it. Anyone could still register for a free Peloton account and send the same unauthenticated requests for data, so Masters went to TechCrunch to blow the whistle.
Peloton quickly responds
After months of seemingly nonchalant actions toward the vulnerability for a data leak, Peloton responded to TechCrunch to confirm that it had fixed the weak point. Peloton spokesperson Amelise Lane provided the following statement:
It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.
So far, Peloton has not responded to questions about why it didn’t take action sooner after Masters’ report or if any of this private data has already been compromised by more malicious people than the security researchers at Pen Test Partners.
More details to come as this situation is still unfolding. Peloton currently has its hands full with other PR issues, so it may be trying to sweep this under the rug quickly and quietly.
Subscribe to Connect the Watts on YouTube to stay in the loop with all the connected fitness news as it happens