Peloton API Leaked Riders Private Data
Reading Time: 2 minutes

Peloton API leaked rider’s private data, after ignoring the vulnerability disclosure by a penetration testing company. Earlier the company also had to recall all treadmills that were found to be linked to 70 injuries and the death of one child.

Jan Masters at Pen Test Partners discovered the bug, it enabled attackers to scrape users’ private data right off Peloton’s servers, irrespective of their profiles being set to private. He reported the flaw in a post, it was the leaky API that allowed any user or any random person to have access to the user’s account data.

The users lost private data which contained the following details:

  • User IDs
  • Instructor IDs
  • Group Membership
  • Location
  • Workout stats
  • Gender and age
  • If they are in the studio or not

With more than 3 million subscribers and over 1 million users pay for the synchronized workout classes with their Peloton equipment. The interesting thing to know, according to the New York Times, President Joe Biden is also one of their members. This was a year ago when he was a presidential candidate and would use one of this equipment.

The company has been ignoring concerns raised by cybersecurity experts. Peloton also has a Vulnerability Disclosure Program in place. The flaws were notified to Peloton as per the program rules on Jan. 20. There is an acknowledgment receipt also available for the same day, though that was the last the pen testers heard from the company.

The company was offered help in replicating the problem by the security company after 2 days. Peloton did not respond to it, and by Feb 2, the security researchers discovered the issue with the unauthenticated endpoint had been “silently and partly” resolved.

According to Masters, now the user data was only available to all authenticated Peloton users. Though the problem was only partially fixed, while the problem with the data being exposed to any other Peloton user still existed.

Pen Test Partners reached out to Whittaker after 90 days to speak to Peloton on its behalf, which he also mentioned in his blog.

Master in the blog said, –

Shortly after contact was made with the press office at Peloton we had contact direct from Peloton’s CISO, who was new in post. The vulnerabilities were largely fixed within 7 days. It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to. In fairness to Peloton they took it on the chin, thanked us, and acknowledged their failures in the process. I wish all vendors were so honest and grateful.

Peloton in a statement to internet media said,

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.