Vulnerabilities Exposed Pelton User Data

Special security research published this week, states that unauthorized users might have been able to access confidential user information through recently patched vulnerabilities in Peloton’s bike software. The same week, Peloton revealed that two of its treadmills were voluntarily recalled because of significant security concerns and vulnerability problems. 

Pen Test Partners, a cybersecurity organization, said it found loopholes earlier this year that enable unauthenticated users to use Peloton’s API, a platform that allows bikes-to-server communications. 

The bugs could enable untrusted users, even when personal mode settings have been selected for their account profiles, to access confidential material for all Peloton users, even Live-class information, says Pen Test Partners. 

Pen Test Partners has informed Peloton, which gives the company 90 days until publication to fix the vulnerabilities. However, Peloton has “acknowledged the disclosure,” but hasn’t “fix the vulnerability,” as per a blog posted by Pen Test Partners on Wednesday 5th of May 2021. 

TechCrunch first revealed the bugs, that were publicly disclosed the same week. After the death of a child and hundreds of users reported accidents, Peloton had to withdraw all its treadmills. The workpieces have had the same insecure API. 

A Peloton spokesman denied the idea that confidential information might have been infringed, saying that through an e-mail address to The Hill, “the identification of vulnerabilities by itself does not constitute a breach.” 

“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson added. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.” 

Peloton also noted that when the Pen Test partners eventually approached, but it was “slow to update the researcher about our remediation efforts,” he acted and addresses the vulnerabilities. 

The organization also praised Pen Test Partner creator Ken Munro for sending and collaborating with them on the vulnerability studies. Pen Test Partners later proposed that the cyber vulnerabilities had been resolved by Peloton.