Peloton security flaw would have let anyone access user data

One of the best things about owning a Peloton Bike is the fact that your workouts are private but earlier this year a security researcher ...

One of the best things about owning a Peloton Bike is the fact that your workouts are private but earlier this year a security researcher discovered that it was possible to make unauthenticated requests to the company's API to gain access to Peloton users' account data.

Security researcher Jan Masters at the UK-based security firm Pen Test Partners first began looking at the at-home fitness brand's security right around the time that President Biden was inaugurated and revealed that he planned to bring his Peloton Bike to the White House. However, at the time, cybersecurity experts warned that doing so could pose a risk to national security and now it appears that they may have been right.

During his investigation, Masters discovered that as a result of Peloton's exposed API, he could access the user IDs, instructor IDs, group membership, location, workout stats, gender and age of users of the company's online membership program from its servers even if they had their profile set to private.

In mid-January, Masters reported his findings to the company and gave them a 90-day disclosure deadline, as is the industry standard, to patch the bug that allowed unauthenticated users to access the account data of Peloton users.

Exposed API

When the 90-day deadline had come and gone with just an email from Peloton acknowledging that it had seen the bug report, Masters then decided to reach out to TechCrunch which first broke the story.

While the company didn't fix the initial bug, it did restrict access to its API to its members. However, this meant that anyone could have signed up for a monthly digital membership for just $12.99 and accessed the API as well as Peloton user account data.

In the time since though, Peloton has confirmed with TechCrunch that the vulnerability is now fixed. TechRadar Pro also reached out to the company and a Peloton spokesperson explained how it plans to work more closely with security researchers through its Coordinated Vulnerability Disclosure program going forward, saying:

“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”

Via TechCrunch



from TechRadar - All the latest technology news https://ift.tt/3eZpnyj
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,188,Video,5,XIAOMI,13,YouTube - 9to5Google,187,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Peloton security flaw would have let anyone access user data
Peloton security flaw would have let anyone access user data
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2021/05/peloton-security-flaw-would-have-let.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2021/05/peloton-security-flaw-would-have-let.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy