Recently patched vulnerabilities in Peloton’s bike software may have allowed unauthorized users to view sensitive user data, new security research published this week found.
Pen Test Partners, a cybersecurity group, said that earlier this year it discovered vulnerabilities allowing unauthenticated users to exploit Peloton’s API, the software that facilitates communication between the bikes and company servers.
The vulnerabilities could potentially allow an individual to view personal information on Peloton users, including their location, gender and age, as well as class attendees, even if users have the private mode turned on.
Pen Test Partners said it notified Peloton, giving the company 90 days to patch the vulnerabilities before going public. But according to a blog post published by Pen Test Partners on Wednesday, Peloton “acknowledged the disclosure” but did not “fix the vulnerability.”
TechCrunch first reported the vulnerabilities, which were made public the same week Peloton was forced to issue a recall for all of its treadmills following a child's death and dozens of reported injuries by users. The treadmills used the same vulnerable API.
A spokesperson for Peloton pushed back against the idea that personal data may have been breached, telling The Hill in an emailed statement that “the identification of vulnerabilities by itself does not constitute a breach.”
“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson said. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.”
The spokesperson added that Peloton took action and addressed the vulnerabilities when Pen Test Partners first reached out but had been “slow to update the researcher about our remediation efforts.”
“As of this week, we have implemented fixes to the rest,” the spokesperson said. “Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported."
The company also thanked Pen Test Partners founder Ken Munro for submitting the reports on vulnerabilities and “being open to working with us to resolve these issues.”
Pen Test Partners later indicated that Peloton had addressed the cyber vulnerabilities.
“Peloton leaked sensitive data for all users,” the company tweeted. “Initially the disclosure was a mess but their lovely new CISO got it sorted fast!”