Peloton’s Insecure API Endpoints Exposed Private User Information

Peloton, the popular fitness application best known for its virtual cycling classes and exercise bikes, exposed thousands of users’ personal data via a set of improperly secured API endpoints. The company deployed a partial fix after security researchers forwarded the information to media partners. 

Jan Masters, a security researcher at Pen Test Partners, first reported the vulnerabilities to Peloton on January 20th, 2021, and gave the fitness brand a 90-day notice before the research would be published. This is standard practice and allows companies to deploy updates before the general public becomes aware of the issue. Peloton failed to respond during this timeframe and no fix was issued. Masters then reached out to Zack Whittaker, an editor for TechCrunch that covers security vulnerabilities, in hopes that pressure from a media company would spur action by Peloton. News of Whittaker’s upcoming coverage did the trick and a partial solution was issued. Now that a patch is in place, TechCrunch has published its news coverage of the vulnerability. 

Masters noted in the report that these issues exposed User IDs, Instructor IDs, Group Membership, Location, Workout stats, Gender, age, and if the user is in the studio or not. This information was exposed by several API endpoints that were accessible via both authenticated and unauthenticated users and access was not properly rate-limited. Peloton has now updated the API to ensure that only authenticated users can access this data, which considering that registering for an account is free, hardly a complete solution. 

The important thing to note is that although Peloton does have some privacy settings available on the Platform, participating in classes renders most of this privacy void.

Be sure to read the next Security article: Salt Security Expands API Protection Platform