Privacy News Privates on parade: fitness tracker app reveals sensitive user details

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Another online fitness tracking app is giving up sensitive information – but this time, it is revealing the names and home locations of government personnel.

Permissive search capabilities in Polar Flow, an online tracking app by Finnish fitness wearables company Polar, has enabled researchers to pinpoint highly sensitive military and intelligence operatives and quickly find out where they live. Furthermore, until Polar shut the app down it was possible to download gigabytes of this information automatically.

Foeke Postma, a volunteer at open source intelligence collective Bellingcat, originally discovered the issue and contacted Dutch news site De Correspondent, who dug into it further. The flaw lay in the way that Polar Flow displayed the details of users’ workouts over several years and allowed people to search for them.

The web app displayed icons in a geographic area of the visitor’s choicer, indicating exactly where someone had worked out. Clicking on an icon revealed the details that the person had registered in the app along with all their other workout locations.

The researchers could use that information to find workout routes that began and ended at the same residential address to pinpoint where they lived.

They also used this technique to identify workouts near sensitive sites such as military bases, detention centres, intelligence offices and nuclear weapons sites. They could then identify employees by name and search their other workouts to find their homes.

Even when people had marked themselves private in the app or registered with a fake name, the reporters were still able to find their identities. Polar Flow still exposed a unique identifying number, and allowed public searches using that ID.

The app revealed all their logged activity to anyone who searched, enabling the reporters to quickly track down the private individual’s home address. From there, a quick public record search revealed their real name.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top