Peloton API Leak Exposes Rider Data

Peloton Data Exposure: A Security Researcher's Discovery

During a workout last Monday afternoon, I received a message from a security researcher showcasing a screenshot of data extracted from my Peloton account.

My Peloton profile is configured for complete privacy, and my friends list is intentionally empty, preventing any visibility into my profile details, age, location, or exercise activity. However, a software flaw permitted unauthorized access to private account information directly from Peloton’s servers, irrespective of privacy settings.

Peloton's Subscriber Base and Business Model

Peloton, the well-known at-home fitness company famous for its indoor cycling bike and previously troubled treadmills, boasts a subscriber base exceeding three million. Reports indicate that even President Biden owns a Peloton bike.

The exercise bike itself has a price point starting above $1,800, but access to a wide range of classes is available through a monthly subscription.

The API Vulnerability Explained

Coinciding with President Biden’s inauguration – and the potential relocation of his Peloton to the White House, pending Secret Service approval – security researcher Jan Masters at Pen Test Partners discovered a critical issue.

Masters found that unauthenticated requests could be made to Peloton’s API to retrieve user account data without any verification of authorization. An API functions as an intermediary, enabling communication between different systems, such as a Peloton bike and the company’s data servers.

This exposed API allowed access to a user’s age, gender, city, weight, workout statistics, and even birthday details – information normally concealed when user profiles are set to private.

Reporting and Initial Response

On January 20th, Masters promptly reported the vulnerable API to Peloton, adhering to the standard 90-day disclosure timeline given to companies to address security flaws before public release of details.

However, the deadline passed without a fix, and Masters received only an initial acknowledgment of the report from the company.

Peloton’s subsequent action involved restricting API access to paying members only, but this proved ineffective as anyone could simply subscribe to gain access again.

TechCrunch Investigation and Peloton's Confirmation

After the deadline expired, TechCrunch contacted Peloton to inquire about the ignored vulnerability report. Peloton subsequently confirmed that the vulnerability had been resolved. (TechCrunch delayed publication of this story until the issue was fixed to prevent potential misuse.)

Peloton spokesperson Amelise Lane provided a statement regarding the matter.

Masters has published a detailed blog post outlining the technical aspects of the vulnerabilities.

Expert Commentary and Remaining Concerns

Allan Munro, founder of Pen Test Partners, stated to TechCrunch: “Peloton’s initial response to the vulnerability report was lacking, but they ultimately took appropriate action after being prompted. A vulnerability disclosure program requires coordinated effort throughout the organization, not merely a webpage.”

Despite the fix, several questions remain unanswered for Peloton. The company repeatedly declined to explain why it did not respond to Masters’ initial vulnerability report.

It is also currently unknown whether the vulnerabilities were exploited maliciously, such as through large-scale data scraping.

Precedent and Potential Impact

Platforms like Facebook, LinkedIn, and Clubhouse have previously experienced scraping attacks that exploited API access to gather user data. However, Peloton refused to confirm whether it maintains logs to determine if its leaky API was subject to similar malicious activity.