Peloton and Echelon profile photo metadata exposed riders’ real-world locations

Security researchers say at-home exercise giant Peloton and its closest rival Echelon were not stripping user-uploaded profile photos of the metadata, in some cases exposing users’ real-world location data.

Almost every file, photo or document contains metadata, which is data about the file itself, such as how big it really is, when it was created, and by whom. Photos and video will often also include the positioning from where they were taken. That location data helps online services tag your photos or videos that you were at this restaurant or that other landmark.

But those on line services — especially social platforms, where you see people’s profile photos — are supposed to remove location data from the file’s metadata so other users can’t snoop on where you’ve been, since location data can reveal where you live, work, where you go, and who you see.

Jan Masters, a security researcher at Pen Test Partners, found the metadata exposure as part of a wider look at Peloton’s leaky API . TechCrunch verified the bug by uploading a profile photo with GPS coordinates of our New York office, and checking the metadata of the file while it seemed to be to on the server.

The bugs were private reported to both Peloton and Echelon.

Peloton fixed its API issues earlier this month but said it all well and good more time to fix the metadata bug and to strip business enterprise profile photos of any other location data. A Peloton spokesperson confirmed the visures were fixed last week. Echelon fixed its version with the bug earlier this month . Nonetheless , TechCrunch held this report until we had confirmation those both companies had repaired the bug and that metadata had been stripped from ancient profile photos.

It’s not known how long our bug existed or anybody maliciously exploited it on scrape users’ personal information.   Any copies, whether cached or scraped, could present a significant privacy risk to assist you to users whose location specifies their home address, workplace, alternatively other private location.

Parler infamously didn’t cleanse metadata beyond user-uploaded photos, which discovered the locations of a large number of users when archivists spotted weaknesses on the platform’s API to download its delete word contents. Others have been unreliable to adopt metadata stripping, simply adore Slack, even if it got they have got in the end .

Read more:

Article Categories: