A bug in Pelotons API may have exposed a whole lot of user data

An old version of Peloton’s API, the software that allows the company’s bikes and recalled treadmills to communicate with its servers, may have exposed private customer profiles, according to a report from TechCrunch. The bug was first spotted by Jan Masters, a security researcher at Pen Test Partners, and reported to Peloton on January 20th, but the company is only just now confirming that the bug has been fixed.

Using Peloton’s API, Masters was able to scrape all sorts of customer information that would typically be private, depending on the individual user’s settings. That includes customer profiles, which can potentially feature their age, location, birthday, and workout history. All Masters had to do was make an unauthenticated...

Continue reading…