Morris Manning & Martin, LLP

Newly Patched Peloton API Flaws Exposed Users' Private Data


Security researchers say API flaws could have exposed the private data of millions of Peloton fitness equipment online service users for months before they were recently patched.

The vulnerability issues emerged the same week that Peloton announced the voluntary recalls of two of its treadmills due to serious safety concerns.

In a blog posted Wednesday, security consultancy Pen Test Partners says that in January its researchers notified Peloton via its vulnerability disclosure site about flaws in an endpoint API.

The flaws could allow unauthenticated individuals to view sensitive information for all Peloton users, including snooping on live class statistics, even when users chose private mode settings for their account profiles, Pen Test Partners says.

In a statement provided to Information Security Media Group, Peloton acknowledged that it implemented a partial fix for one of the reported issues when it received the initial report from the security researchers.

Peloton has more than 4.4 million members, including nearly 1.7 million connected fitness subscribers, according to its second quarter 2021 shareholder letter.

MMM's Ashley Thomas says the Peloton incident highlights the importance of businesses conducting regular security and vulnerability testing on their software to address any potential leaks or unauthorized exposure of personal data.

"The Federal Trade Commission has signaled that organizations should begin to incorporate vulnerability disclosure programs in their business practices," she notes.

The FTC has indicated that the failure to maintain an adequate process for receiving and addressing security vulnerability reports from outside security researchers and consultants could potentially be considered an unreasonable practice in violation of Section 5 of the FTC Act, she adds.

To read the full article from Gov Info Security, click here