Interactive exercise equipment company Peloton Interactive Inc. has suffered a potential data breach after it was discovered that its application programming interface exposed user data including private accounts.
The revelation came on the same day the company was forced to recall two of its treadmills following the death of a six-year-old child. The API vulnerability was discovered by Jan Masters, a security researcher at Pen Test Partners LLP and first reported today by TechCrunch.
The unsecured API is said to have allowed anyone to gain access to private account data directly from Peloton’s servers. Accessible data included age, gender, city, weight, workout statistics and where available birthday as well.
Exposing user data via APIs is not uncommon, as an incident involving Experian plc earlier this week showed. But where this story takes a twist is that Peloton was informed of the exposure in January and didn’t sufficiently act on it. Masters reported the exposure Jan. 20 with a 90-day deadline to fix the issue before going public, a standard window time that security researchers typically give companies.
Instead of shutting down the exposure, Peloton instead is said to have restricted API access to its members only. While restricting broad access to all and sundry, access was still available to anyone who signed up to Peloton with a monthly membership. Peloton has since said that it has shut down that path of access as well.
“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community,” a spokesperson for Peloton said. “Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.”
“One of the biggest trends sparked by COVID, Peloton, is now realizing the impact fast growth can have if you don’t take appropriate security measures into account,” Jason Kent, hacker in residence at API security software company Cequence Security Inc., told SiliconANGLE. “With 4.4 million members on the platform, the company’s foundation is in building a workout community no matter where users are — allowing friends, family members and even strangers to exercise ‘together’ while being apart in these uncertain times. But in doing so, have they put the community at risk?”
The problem, he added, is that API security is stuck in a web security paradigm of a decade ago, so many of the same flaws that have been fixed in other situations are still present in APIs. “Experian, John Deere and now a major consumer brand have been breached within the last month via their APIs because of immaturity in the way security on APIs is being handled,” he said.
Michael Isbitski, technical evangelist at API security firm Salt Security Inc., noted that often organizations build or integrate APIs without fully considering the potential abuse cases.
“Organizations must protect the APIs monitoring consumption continuously in order to take such malicious activity as content scraping or authorization bypasses,” Isbitski said. “API security issues can also expose organizations to regulatory penalties, since many standards and legislation, including GDPR and CCPA, explicitly define types of PII that must be protected. This includes phone numbers and account identifiers. Even seemingly innocuous types of data can be combined to uniquely identify individuals and impact privacy.”
Photo: Steve Jurvetson/Flickr
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.