Bad news: Pelotons are exposing user data, even if you have a private account
Fitness machine maker Peloton has had a rough couple of months. After several complaints surrounding the safety of equipment, an investigation was launched earlier this year after the unfortunate death of a child. Tap or click here for the tragic details.
The company came under fire for not taking the complaints seriously enough, as at least 39 dangerous incidents have occurred since 2018. Peloton recalled nearly 30,000 machines in the U.S. last year, and initially tried to fight off another recall after this year’s death.
Ultimately buckling under the pressure, Peloton issued a recall for the dangerous units. Now, the company is putting users at risk in different ways.
Here’s the backstory
Security researchers at Pen Test Partners discovered a flaw that would allow anybody to view sensitive information for all Peloton users. This included checking up on live class statistics and attendees, even if the user’s profile was private.
To understand the vulnerability, you must understand how Peloton handles data. The fitness devices make use of mobile and web applications to relay information through several endpoints.
By tapping into one of the unsecured end-points, an unauthorized user could access the information generated by the machine. Information that can be disclosed even if the profile is private includes:
- User IDs
- Instructor IDs
- Group Membership
- Location
- Workout stats
- Gender and age
- If they are in the studio or not
The security researcher who discovered the flaw, Jan Masters, alerted Peloton as soon as possible. However, he explains that the report went “ignored” before the company quietly fixed the issue.
“This endpoint could have been polled by an unauthenticated user, but the ‘fix’ now requires a user account, which anyone can self-register to. This still exposes the same data to any other Peloton user,” Masters explained in a blog post.
What can you do about it?
Peloton eventually corrected the issue after reviewing the data and documentation submitted by Masters and Pen Test Partners. TechCrunch asked Peloton why the report was ignored; the company said the took action but were slow to update Masters about the progress.
For now, your data on a Peloton machine shouldn’t be exposed. But if you are concerned that your information leaked onto the internet, head on over to HaveIBeenPwned? to check. The site searches breached databases for your email address and recommend actions to take if leaked.
“Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported,” Peloton’s spokesperson Amelise Lane told TechCrunch.
Recall of dangerous units
Peloton reluctantly issued a recall notice for its Tread and Tread+ machines. According to the Consumer Product Safety Commission, a total of 72 reports detailed injuries sustained by adult users, children, and pets.
This stems from the February incident where a father found his three-year-old son pulseless underneath a Peloton Tread+. He had a neck injury, and tread marks matching the treadmill’s slats marred his back. The victim now has significant brain damage.
Of the 72 reports, 29 involve children who suffered second-and third-degree burn wounds, broken bones and severe cuts. The Tread+ recall is for potentially pulling users underneath the machine. The regular Tread recall is for numerous cases where the touchscreen fell off.
If you have a Tread+, you have until Nov. 6 of 2022, to return your device to Peloton for a full refund. Regular Tread owners can have Peloton come to their house to fix the screen or return the unit for a full refund.
Keep reading
Tips and tricks for buying a used Peloton bike
Etsy cracking down on fake products – What to stay away from