Peloton’s leaky API let anyone grab riders’ private account data

Peloton’s leaky API let anyone grab riders’ private account data

Posted May 5, 2021

Peloton’s leaky API let anyone grab riders’ private account data

  • My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.
  • As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it.
    • An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.
  • The exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.
  • Peloton had a bit of a fail in responding to a vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.

– Zack Whittaker | May 5, 2021