Tour de Peloton: Exposed user data | Pen Test Partners
An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. TL;DR Information disclosed included: – User […]
It’s anything but a smooth ride today for Peloton – with news of leaky APIs paired with a recall of all their treadmills, not to mention cybersecurity concerns earlier this year with President Biden’s own bike, it’s going to be a bumpy one.
Jason Kent, Hacker in Residence at Cequence Security:
“One of the biggest trends sparked by COVID, Peloton, is now realizing the impact fast growth can have if you don’t take appropriate security measures into account. With 4.4 million members on the platform, the company’s foundation is in building a workout community no matter where users are – allowing friends, family members and even strangers to exercise “together” while being apart in these uncertain times. But in doing so, have they put the community at risk?
The world of API security is set in 2009’s web security paradigm and many of the same flaws we already know how to fix are present in APIs. Experian, John Deere, and now a major consumer brand have been breached within the last month via their APIs because of immaturity in the way security on APIs is being handled. The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right. In needing to build an API that allows some users to share information and build community, while respecting those who want privacy by ensuring the data is secure, they have risked all user data. The information might not show in the application itself, but developers and security teams need to also confirm that the APIs themselves conform to the security measures in place. If 2013 was the year of the web attack, 2021 is shaping up to be the year of the API attack. Organizations need to react quickly to first, find all of their API endpoints and secondly, understand their security posture.”
Uriel Malmon, senior director of emerging technologies at PerimeterX:
“Modern web apps are no longer the monolithic, UI-centric, custom-built applications of the early Internet. Today’s web is geared towards devices, communication with other apps and with human users. Modern web apps utilize standardized components rather than being all built in-house.
While this has vastly accelerated the speed and agility of bringing digital technology to market, it is also a fertile ground for security issues. For example, the fact that API communication is “invisible” to humans makes it harder to test in traditional QA settings. And the mixing of various components, most of which are not developed in-house, causes a lack of clarity about where verification or validation should happen. Modern apps built with components are also open to abuse anywhere in the “supply chain” of components that make up a site.
It’s important to remember that when sensitive information leaks, it doesn’t affect just the website that leaked it. The users can be affected for years to come in completely unexpected ways. For example private information can be used to create synthetic identities that are then used to generate fraudulent credit card or loan applications which inevitably affects the original users but also the financial institution. It also affects the original website whose brand and image will inevitably suffer and whose reporting obligations and liability may be very costly.
Web app security is everyone’s problem, and we must all work together to make the web a safer place.”