"Researcher Claims Peloton APIs Exposed All Users Data"

Security researchers from the Pen Test Partners have discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users.  The researchers stated that the mobile, web application and back-end APIs had several endpoints that revealed users’ information to authenticated and unauthenticated users.   Among the potentially exposed data were user and instructor IDs, group membership, location, workout stats, gender, age, and whether users are in the studio or not.  The researchers believe that a full investigation should be conducted by Peloton to improve their security, especially now that famous individuals are openly using this service.  The security researchers also found that the security flaws were so bad that they leaked information even for users in privacy mode.

Infosecurity reports: "Researcher Claims Peloton APIs Exposed All Users Data"