Peloton’s Leaky API Spilled Riders’ Private Data

Peloton has hit a pothole. Its API was leaking riders’ private data, it ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but didn’t get around to telling the researcher until he reached out to a cybersecurity journalist for some help.

This is bad news for Peloton, coming just before other, far more horrific news hit the headlines: Namely, on Wednesday, the company recalled all of its treadmills, which have been linked to 70 injuries and the death of one child. It also admitted that it had been wrong to refuse the Consumer Product Safety Commission’s request that it pull the equipment: In April, the CPSC warned consumers to stay off the Peloton Tread+, which “poses serious risks to children for abrasions, fractures, and death.”

The CPSC said that it had received multiple reports of children, and at least one pet, getting  trapped, pinned, and pulled under the rear roller. The commission posted a disturbing video showing a child getting pulled under the front rollers (he wasn’t injured). “It is believed that at least one incident occurred while a parent was running on the treadmill, suggesting that the hazard cannot be avoided simply by locking the device when not in use,” the CPSC said. “Reports of a pet and objects being sucked beneath the Tread+ also suggest possible harm to the user if the user loses balance as a result.”

At the time of the CPSC warning, Peloton issued a statement scoffing at the commission’s recall request, calling it “inaccurate and misleading.”

That was two weeks ago. Now, the company has done an abrupt about-face. “I want to be clear, Peloton made a mistake in our initial response to the CPSC’s request,” Peloton CEO John Foley said in a statement. “We should have engaged more productively with them from the outset. For that, I apologize.”

More Problems on the Privacy Front

Peloton is also having a tough week in terms of privacy news. Nobody wants to have their supposedly private profile, age, city, or workout history pop up in a screenshot while they’re pumping their quads on one of Peloton’s pricey bikes. But that’s what happened to TechCrunch’s Zack Whittaker last week: It’s how he came to find out that Pen Test Partners needed a trusted journalist – i.e., him – to get Peloton’s attention.

Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private. As Masters said in a post about the glitch, the leaky API was allowing any user, along with any random internet passersby, to make an unauthenticated request for account data to the API without the API making sure that they had any right to the data. The API enables the bikes to upload data to Peloton’s servers.

The entire list of exposed private details:

• User IDs
• Instructor IDs
• Group Membership
• Location
• Workout stats
• Gender and age
• If they are in the studio or not

That’s not good for any of the company’s riders, of which it has many: Peloton says it has more than 3 million subscribers, with over 1 million of them connected, as in, they pay to synchronize workout classes with their Peloton equipment. But it’s particularly concerning given that one of those members is reportedly President Joe Biden: as the New York Times reported a year ago, the then-presidential candidate started each day by hopping on one of these $1,895, indoor stationary bikes-cum social media platform.

Post-election, cybersecurity watchers raised red flags. As it is, the bikes have built-in cameras and microphones that let riders see and hear each other if they like. Do we really want spies from adversarial nations to be able to peer into the White House workout room? To listen in on the president’s workout, or even to know when, exactly, he’s working out?

In January, Popular Mechanics ran a story questioning the safety of such a setup, with the headline “Why Joe Biden Can’t Bring His Peloton to the White House.” As of March, it wasn’t clear whether the CIA wound up allowing President Biden to move his bike into the White House, though cybersecurity experts told the New York Times that if he wanted it, he could certainly have it – with enough preparation to avoid risks, that is.

But what kind of preparation can you do to protect the president, or anybody, from a leaky API that nobody knows about? Threatpost has reached out to experts to find out and will update this article with their input.

Vulnerability Disclosure Program SNAFU

Masters didn’t anticipate any problem with getting the issue resolved. After all, Peloton has a Vulnerability Disclosure Program. He privately disclosed the flaw to Peloton on Jan. 20, per its program rules. Receipt was acknowledged on the same day. Unfortunately, that’s the last that Pen Testers heard from the company.

Two days later, the penetration-testing company asked for an update and offered help in replicating the problem. Again, it didn’t hear back. But by Feb. 2, the security researchers found that the issue with unauthenticated endpoint had been “silently and partly” resolved.

“User data was now only available to all authenticated Peloton users,” Masters recounted in his post. But it was only a partial fix in that it didn’t solve the problem with the data being exposed to any other Peloton user, he noted.

After 90 days, Pen Test Partners reached out to Whittaker to speak to Peloton on its behalf.

It’s all OK now, according to Masters. On Wednesday, he updated his initial blog post about the situation, saying that he’d finally been contacted directly by Peloton’s CISO.

“Shortly after contact was made with the press office at Peloton we had contact direct from Peloton’s CISO, who was new in post,” Masters wrote. “The vulnerabilities were largely fixed within 7 days. It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to. In fairness to Peloton they took it on the chin, thanked us, and acknowledged their failures in the process. I wish all vendors were so honest and grateful.”

Peloton provided this statement to TechCrunch:

“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”

Threatpost reached out to Peloton to ask whether it planned to inform riders that their private data was leaked and to ask how, exactly, it plans to improve its working relations with security researchers. A representative said that the company had nothing else to say beyond what it already shared with Pen Test Partners and TechCrunch. 

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.