Masters uncovered that Peloton’s programming interface accepted unauthenticated requests for data, regardless of whether the user’s account was set to private. TechCrunch reports that that issue has been fixed but that the fitness company’s platform was vulnerable for an extended period of time.
Masters says that they privately disclosed the flaw on January 20th and didn’t receive a response from Peloton until he reached out to the media regarding the flaw.
The fitness company then released a partial fix on February 2nd that limited access to authenticated users, though anyone with a subscription to its platform could still access sensitive user info. After media reached out to the company, Peloton finally “largely fixed” the problem.
It’s unclear if attackers actually exploited the security flaw.
In a statement to TechCrunch, Peloton spokesperson Amelise Lane says that “It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community.” Masters has published a blog post detailing the vulnerability.
While it’s unlikely anything nefarious was done with data related to Peloton accounts, this is a great example of the importance of disclosing security flaws and exemplifies the importance of bug bounty programs that encourage white hat hackers to uncover potential issues.
Peloton also recently recalled its treadmill following reports of injuries and one death.