Peloton API's security flaws exposed users' private data

President Joe Biden is among Peloton's famous users

Security flaws in follow-along fitness firm Peloton ' s software could have exposed millions of users' private data for months before being patched.

Jan Masters, a researcher at security consultancy Pen Test Partners, discovered the vulnerabilities in Peloton ' s API. He reported them to Peloton on 20^th January through the company's vulnerability disclosure site, but has heard nothing since a receipt acknowledgement.

Masters told TechCrunch that he was able to exploit the flaws in Peloton ' s endpoint API to scrape customers ' details, even when they were set to private mode.

Peloton ' s API allows the company ' s products (treadmills and bikes) to communicate with its servers.

Peloton has more than 4.4 million members and 1.7 million connected fitness subscribers. Its customers include famous figures like US President Joe Biden.

Masters said that Peloton ' s API presented many types of of user data without authentication, including customer IDs, age, location, birthday, live class statistics, instructor IDs and group membership.

'The mobile, web application and back-end APIs had several endpoints that revealed users ' information to both authenticated and unauthenticated users,' Pen Test Partners team said in a blog post.

After notifying Peloton about the vulnerability, Masters gave the firm a 90-day deadline to fix the issue. The deadline passed with no further contact. Peloton 'fixed' one of the issues in February, by restricting equipment to only connect with requests coming from valid Peloton accounts. However, that still meant that users ' data was accessible to all authenticated Peloton users.

Peloton now says the issue has been fixed.

'Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that ' s available on a Peloton profile,' the company said in a statement.

'We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts.'

The firm added that it would take more steps 'to work collaboratively with the security research community' in the future, and would 'respond more promptly when vulnerabilities are reported.'