With Peloton’s leaky API, anyone can get riders’ private account details


In the middle of my Monday After training last week in the afternoon, I received a message from a security researcher with a screenshot of my Peloton account information.

My Peloton profile is set to private and my friends list is intentionally zero so no one can see my profile, age, city, or training history. However, a bug allowed anyone to get users’ private account information directly from Peloton’s servers, even if their profile was set to private.

Peloton, the home fitness brand synonymous with stationary indoor bike and crowded treadmills, has more than three million subscribers. Even President Biden is said to have one. The exercise bike alone starts at $ 1,800, but anyone can sign up for a monthly subscription to take a variety of classes.

When Biden was initiated (and his peloton moved into the White House – assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found that he could make unauthenticated requests to the Peloton API for user account information, without checking make sure the person was allowed to request this. (An API allows two things to communicate with each other over the Internet, such as a Peloton bike and the company’s servers that store user data.)

With the exposed API, he – and anyone else on the internet – can access the age, gender, city, weight, training stats of a Peloton user and, if it was the user’s birthday, details that are hidden when the user’s profile pages can be set to private.

Masters reported the leaking API to Peloton on January 20, giving 90 days to correct the problem. This is the standard time security researchers give companies to fix bugs before details are released.

But that deadline came and went, the bug was not fixed, and Masters hadn’t heard from the company other than an initial email confirming receipt of the bug report. Instead, Peloton limited access to its API to only its members. However, this just meant that anyone with a monthly membership could log in and access the API again.

TechCrunch contacted Peloton after the deadline to ask why the vulnerability report was being ignored, and Peloton confirmed yesterday that the vulnerability had been fixed. (TechCrunch kept this story until the bug was fixed to prevent abuse.)

Peloton spokeswoman Amelise Lane made the following statement:

Keeping our platform secure is a priority for Peloton and we are always looking to improve our approach and process to working with the external security community. Through our coordinated vulnerability disclosure program, a security researcher informed us that he could access our API and view information available in a Peloton profile. We have taken action and addressed the issues based on his initial contributions, but we have been slow to keep the researcher informed of our remediation efforts. In the future, we’ll do better to work with the security research community and respond more quickly when vulnerabilities are reported. We would like to thank Ken Munro for submitting his reports on our CVD program and for being open to working with us to resolve these issues.

Since then, Masters has published a blog post that explains the vulnerabilities in more detail.

Munro, who founded Pen Test Partners, told TechCrunch, “Peloton had a little trouble responding to the vulnerability report, but took appropriate action when pushed in the right direction. A vulnerability disclosure program is not just a page on a website. It requires coordinated action across the company. “

However, questions remain for Peloton. In response to repeated questions, the company declined to explain why it hadn’t responded to Masters’ vulnerability report. It is also not known if anyone maliciously exploited the vulnerabilities, e.g. B. Mass Scraping Account Information.

Facebook, LinkedIn, and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to get data about users on their platforms. However, Peloton declined to confirm whether logs were in place to rule out malicious exploitation of its leaky API.


Melinda Martin