Peloton & Echelon: Rider Location Data Exposed - Privacy Concerns

Metadata Exposure Risks in Fitness Platforms

Peloton and Echelon, leading companies in the at-home exercise market, were found to be failing to remove metadata from user-uploaded profile pictures. This oversight potentially revealed users’ real-world location data.

Understanding Metadata

Virtually all digital files, including photos and documents, contain metadata. This data describes the file itself, detailing its size, creation date, and author. Photos and videos frequently embed the location where they were captured.

This location data is useful for services to tag photos and videos, identifying places visited. However, it also presents a privacy concern.

The Importance of Metadata Removal

Online platforms, particularly social media, should remove location data from file metadata. This prevents unauthorized access to a user’s whereabouts, as location information can disclose residential addresses, workplaces, frequented locations, and social connections.

Discovery and Verification of the Bug

Security researcher Jan Masters, from Pen Test Partners, identified this metadata exposure during an investigation into Peloton’s API vulnerabilities. TechCrunch independently confirmed the issue by uploading a profile image containing GPS coordinates corresponding to their New York office.

The vulnerability was reported privately to both Peloton and Echelon.

Remediation Efforts

Peloton addressed its API issues earlier this month. However, the company initially stated that removing metadata from existing profile photos would require additional time. A Peloton spokesperson later confirmed the bug fix last week.

Echelon resolved its metadata bug earlier in the month as well. TechCrunch delayed publication of this report until both companies confirmed the bug was fixed and metadata had been removed from previously uploaded photos.

Potential Impact and Risks

The duration of the bug’s existence and any malicious exploitation of user data remain unknown. Cached or scraped copies of the metadata could pose a significant privacy risk, potentially revealing sensitive information like home addresses or workplaces.

Previous incidents, such as the case with Parler, demonstrate the dangers of failing to scrub metadata. Archivists exploited API weaknesses to download the platform’s entire content, exposing the locations of millions of users.

Other platforms, like Slack, have also been slow to implement metadata stripping, despite eventually doing so.

Further Reading

• Peloton’s leaky API let anyone grab riders’ private account data
• Echelon exposed riders’ account data, thanks to a leaky API
• Running apps still lag behind on privacy and security
• 2020 was a disaster, but the pandemic put security in the spotlight