Peloton and Echelon profile photos exposed riders’ real-world locations

Security researchers say at-home exercise giant Peloton and its closest rival Echelon were not stripping user-uploaded profile photos of their metadata, in some cases exposing users’ real-world location data.

Almost every file, photo or document contains metadata, which is data about the file itself, such as how big it is, when it was created, and by whom. Photos and video will often also include the location from where they were taken. That location data helps online services tag your photos or videos that you were at this restaurant or that other landmark.

But those online services — especially social platforms, where you see people’s profile photos — are supposed to remove location data from the file’s metadata so other users can’t snoop on where you’ve been, since location data can reveal where you live, work, where you go, and who you see. Others have been slow to adopt metadata stripping, like Slack, even if it got there in the end.

Jan Masters, a security researcher at Pen Test Partners, found the metadata exposure as part of a wider look at Peloton’s leaky API. TechCrunch verified the bug by uploading a profile photo with GPS coordinates of our New York office, and checking the metadata of the file while it was on the server.

The bugs were privately reported to both Peloton and Echelon.

Peloton fixed its API issues earlier this month but said it needed more time to fix the metadata bug and to strip existing profile photos of any location data. A Peloton spokesperson confirmed the bugs were fixed last week. Echelon fixed its version of the bug earlier this month. But TechCrunch held this report until we had confirmation that both companies had fixed the bug and that metadata had been stripped from old profile photos.

It’s not known how long the bug existed or if anyone maliciously exploited it to scrape users’ personal information. Any copies, whether cached or scraped, could represent a significant privacy risk to users whose location identifies their home address, workplace, or other private location.

Read more:

Credit belongs to : www.techcrunch.com

You May Also Like

Rocket Lab will attempt to catch an Electron rocket booster with a helicopter again

Rocket Lab is gearing up for a second attempt to catch a rocket booster mid-air using a helicopter, a technique the company is hoping to perfect after a partially successful recovery earlier this year. The mission, playfully dubbed “Catch Me If You Can,” is scheduled to take place no earlier than November 4 from the […]

Rocket Lab will attempt to catch an Electron rocket booster with a helicopter again by Aria Alamalhodaei originally published on TechCrunch

error: Content is protected !!