Peloton and Echelon profile photos exposed riders’ real-world locations

Security researchers say at-home exercise giant Peloton and its closest rival Echelon were not stripping user-uploaded profile photos of their metadata, in some cases exposing users’ real-world location data.

Almost every file, photo or document contains metadata, which is data about the file itself, such as how big it is, when it was created, and by whom. Photos and video will often also include the location from where they were taken. That location data helps online services tag your photos or videos that you were at this restaurant or that other landmark.

But those online services — especially social platforms, where you see people’s profile photos — are supposed to remove location data from the file’s metadata so other users can’t snoop on where you’ve been, since location data can reveal where you live, work, where you go, and who you see. Others have been slow to adopt metadata stripping, like Slack, even if it got there in the end.

Jan Masters, a security researcher at Pen Test Partners, found the metadata exposure as part of a wider look at Peloton’s leaky API. TechCrunch verified the bug by uploading a profile photo with GPS coordinates of our New York office, and checking the metadata of the file while it was on the server.

The bugs were privately reported to both Peloton and Echelon.

Peloton fixed its API issues earlier this month but said it needed more time to fix the metadata bug and to strip existing profile photos of any location data. A Peloton spokesperson confirmed the bugs were fixed last week. Echelon fixed its version of the bug earlier this month. But TechCrunch held this report until we had confirmation that both companies had fixed the bug and that metadata had been stripped from old profile photos.

It’s not known how long the bug existed or if anyone maliciously exploited it to scrape users’ personal information. Any copies, whether cached or scraped, could represent a significant privacy risk to users whose location identifies their home address, workplace, or other private location.

Read more:

Credit belongs to : www.techcrunch.com

You May Also Like

Vietnamese financial services app MFast gets $1.5M pre-Series A led by Do Ventures

MFast, a mobile app that lets Vietnamese users in remote areas access financial services, announced today it has raised a $1.5 million pre-Series A. The round was led by Do Ventures, with participation from JAFCO Asia.  Launched in 2019 by fintech company Digipay, MFast says it has been used by 600,000 people to date. It […]

GrowSari, a B2B platform for small stores in the Philippines, adds investors like Temasek’s Pavilion Capital and Tencent

Sari-sari stores are neighborhood stores in the Philippines that usually sell daily necessities and sometimes serve as community hubs, too. Today GrowSari, a startup that is digitizing sari-sari stores with features like pricing tools, inventory management and working capital loans, announced it has raised a Series B from several notable investors that brings its total […]
error: Content is protected !!