"Weaknesses in Fitness Tracking App Strava's Features Used to Expose Israel's Secret Military Bases"
A feature in the Strava fitness tracking app designed to encourage user competition has instead been exploited by unknown spies to track members of the Israeli military as they run routes on secret military bases. The fitness tracking app may have inadvertently jeopardized not only classified locations but also personnel movement over long periods of time. For example, the name of a military member was made public. Spies were also able to track the race on Strava, which could then be used to view all of the other locations where they had exercised. Security researchers discovered an anonymous profile in Boston that was actively abusing the fitness tracking app to track users running in known military bases and outposts across Israel. The vulnerability stems from a feature called "segments" that enables Strava users to define portions of running trails where they can record their own best times. The feature is supposed to allow users to post their segment times and compete to outdo one another. The issue is that the Strava user does not have to physically visit the location to create a segment, as they can simply upload GPS data recorded by various other devices. This opens the door to uploading fabricated GPS data, which has clearly occurred given Strava segments with impossible times or routes. By creating one of these segments, a Strava user from anywhere in the world can insert themselves into any running route they want. After that, they can take advantage of another feature oversight in the fitness tracking app: the removal of certain privacy features when a user chooses to upload their data to a segment. Strava users can typically make their personal profiles private or only accessible to approved followers. Regardless of these settings, their segment records, which are accessible to anyone using the app, will always include their first name, first initial of their last name, and profile picture unless they disable this individually for each segment. This article continues to discuss the potential exploitation and impact of the security flaw in the Strava fitness tracking app.