Pen Testers Discover a Security Bug on Peloton’s Servers
Once COVID hit people were all jumping on the Peloton bike to stay fit in the safety of their home. It is a top-quality exercise bike that has an app and subscription that goes with it. It gives users access to live real-time classes and sessions with a coach.
Peloton is booming, in 2020 they announced a 113% increase year over year which they expect to double in 2021.
Well, Peloton has hit a pothole. They had to recall all of its treadmills, which have been linked to 70 injuries and the death of one child. On top of that, there was exposed user data. An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode.
What went wrong?
- The Peloton app API allowed any user to access someone else’s data even if they were in “private” mode.
- Peloton failed to address the flaw quickly enough and had to be warned by the press to take proper fixing action.
- It is not unlikely that someone has already scraped all user data from the leaky API, planning to publish it soon.
The researcher found out that an unauthenticated user could view sensitive information for any user of the Peloton network, snoop on their activities, and collect potentially useful data that could be used for a variety of nasty stuff. More specifically, the information that could be accessed includes the following:
- User IDs
- Instructor IDs
- Group Membership
- Workout stats
- Gender and age
- If they are in the studio or not
Peloton says it has more than 3 million subscribers. Famous figures such as the President of the United States use Peloton.
2021 is shaping up to be the year of the API attack. As more leaks happen we will need to pay attention to the vulnerabilities. As we have more things connected on the internet this will continue to be a problem. When every appliance is connected to the internet we are trusting our data to companies who are not focused on data security.
Your API is the gateway to your data! The Top 10 API Security Risk:
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Are you ready to learn how to be a pentester? Consider taking CompTIA Pentest+ with Intellectual Point!
CompTIA PenTest is a certification for cybersecurity professionals who are tasked with identifying, exploiting, reporting, and managing vulnerabilities on a network.
CompTIA PenTest assesses the most up-to-date penetration testing, and vulnerability assessment and management skills necessary to determine the resiliency of the network against attacks. Successful candidates will also have the skills required to customize assessment frameworks to effectively collaborate on, report findings, and communicate recommended strategies to improve the overall state of IT security.
You could also consider taking Certified Ethical hacker (CEH) with Intellectual Point!
A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker but lawfully and legitimately to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.
The Certified Ethical Hacker (CEH) is a core training program for an information security professional, also referred to as a white-hat hacker, who systematically attempts to inspect network infrastructure with the consent of its owner to find security vulnerabilities that a malicious hacker could potentially exploit. The course helps you assess the security posture of an organization by identifying vulnerabilities in the network and system infrastructure to determine if unauthorized access is possible. The Certified Ethical Hacker program is the most comprehensive Ethical Hacking program in the world.