An old version of Peloton’s API, the software that allows the company’s bikes and recalled treadmills to communicate with its servers, may have exposed private customer profiles, according to a report from TechCrunch. The bug was first spotted by Jan Masters, a security researcher at Pen Test Partners, and reported to Peloton on January 20th, but the company is only just now confirming that the bug has been fixed.
Using Peloton’s API, Masters was able to scrape all sorts of customer information that would typically be private, depending on the individual user’s settings. That includes customer profiles, which can potentially feature their age, location, birthday, and workout history. All Masters had to do was make an unauthenticated request to Peloton’s API and customer data was his. Masters has a more thorough explanation of how the exploit worked on Pen Test Partners’ blog and also summarized his findings in the video below:
After reporting the bug to Peloton, Masters set a 90-day deadline to address the issue. That deadline came and went without Peloton saying whether the API was fixed, which prompted Masters to turn to TechCrunch. Peloton finally responded and shared the following statement with the publication:
It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.
The screens on Peloton’s bikes and treadmills are what make the company’s workout ways so compelling. It’s how subscribers attend classes, track their workouts, and even do other non-bike or treadmill exercises. It’s a feature that Peloton charges $39 per month for an all-access membership to. Yet, like all connected devices, particularly fitness ones, it can leave private customer information more vulnerable than a non-connected stationary bike would.
Masters writes that Peloton apologized and said it resolved a majority of the API issues within a week of his report. What’s not immediately clear is if anyone other than Masters gained access to customer data while the API was in a leaky state.
When The Verge followed up to check, Peloton said it had nothing new to share that it hadn’t already provided TechCrunch and Pen Test Partners. The company also reiterated it responded to the API issue immediately.