Fitness App Polar Exposed Locations of Spies and Military Personnel

An anonymous reader writes: A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services. The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years -- simply by modifying the browser's web address. Although the existence of many government installations are widely known, the identities of their employees were not.

Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived, if they started or stopped their fitness tracking as soon as they left their house. Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone -- including malicious actors or foreign intelligence services -- to scrape the fitness activity data on millions of users. But they also found they could trick the API into retrieving fitness tracking data on private profiles.

Call the waaahmbulance for the jackboots

Good. If they're allowed to sweep up all the information possible about us, then the jackboots deserve the same in reverse.

Re: Call the waaahmbulance for the jackboots

Jackboots. You just learn that word and b needed some way to use it, no matter how absurd? Good job.

Happens all the time

Things like this are why I quit working out at Area 51. Now I just grunt out my 5x5 sets at Planet Fitness.

Re:Happens all the time

Things like this are why I quit working out at Area 51. Now I just grunt out my 5x5 sets at Planet Fitness.

Planet Fitness goers can get to the fifth set?!?!

Keep it up - maybe one day you'll be allowed to work out in a real gym.

Alternative title

Alternative title: Morons freely give potentially sensitive data to insecure company. Why would you install one of these things if your location was important? And why isn't telling them to not do that part of the basic training?

Re:Alternative title

[AHuxley]

Re 'And why isn't telling them to not do that part of the basic training?"
NSA and GCHQ cant set security conditions anymore. Contractors and staff have to be free to enjoy their electronic devices on any mission so they don't get upset.
Contractors and mil staff who get upset have a list of grievances.
Staff walk around and need a friend to talk to about the bad working conditions.
Other nations spies are only to happy to become friends and listen.

To stop that emotional build up of unhappiness contractors and gov/mil get to be happy. With the consumer electronics, computers, games, devices all networked.
Boredom is the path to the risky side. Risk leads to seeking out fun. Fun leads to a den of spies. Spies open the pathway to split loyalty.
It took the US and UK gov into the 1970's and a lot of money to finally discover why the Soviet Union was able to get generations of most trusted US and UK staff to spy for them.
Low pay and really bad working conditions allowed Soviet spies to make new friends around the most secret and sensitive US and UK mil sites.

Nothing "inadvertent" about it

The Polar app did nothing inadvertent.

People better served by keeping their locations secret posted their workouts to the internet.

AKA "idiots" did something "stupid".

Nothing to see here - move along.

Re: Nothing "inadvertent" about it

The only thing stupid was trusting s fitness company to have pay attention to keeping private profile information ptivate.

I agree, those who need to keep their locations secure should probably rethink any app or device that records activity. But, I also think the headline is a bit sensational.

But to bring the risk into focus for people in general. This kind of app could also let people know when your house may be empty by showing your workout routine.

Old news on /.

[schwit1]

https://yro.slashdot.org/story...
https://tech.slashdot.org/stor...

Re:Old news on /.

But... this is Polar, so it's new news.

Re:Old news on /.

[CaseCrash]

Thank you, my first thought was "Didn't this happen months ago?" I guess this is another company and no one learned their lesson last time :P

Re:Old news on /.

There's a significant difference. With Strava, the problem was that people were publishing data as public when they should not have been. This time, users have learned to mark private data as private, but it's getting leaked anyway.

Re:Old news on /.

There's a significant difference. With Strava, the problem was that people were publishing data as public when they should not have been. This time, users have learned to mark private data as private, but it's getting leaked anyway.

So Facebook taught people nothing. For the learning disabled here: this doesn't mean you need to USE or TRUST Facebook to take the lesson. It means you can see what happens to others who trusted them to maintain a nominal/promised level of privacy. Because the average person wants to show how they're "always right" which precludes learning from experience. Ok then. Let them reap what they sow.

This is exactly what average people are not prepared for: a thing that slowly works against you over time, then suddenly pulls the trigger releasing all of its stored "ammo". Average people only anticipate obvious immediate threats. These are the folks who were surprised/shocked/horrified about the Snowden leaks instead of saying "yeah, I figured they were doing something like that".

Re:Old news on /.

[AHuxley]

Data sets just keep on giving. Contractors everywhere are always online.
Typewriter and gym with 1980's wrist watch that only tells time is looking like a very advanced security policy.

Re: Old news on /.

I'm surprised that you think people learn from others mistakes.

Most of the population are sheeple.

Darwin.

[Gravis+Zero]

I think this nicely illustrates what "survival of the fittest" really means. ;)

Re:Darwin.

I prefer to think of it as survival of the fuckers.

Better Link

This is the English translation of one of the original articles. Strangely enough you need NoScript activated or it throws up a paywall. The article contains much more detail than the zdnet link.

https://decorrespondent.nl/8481/heres-how-we-found-the-names-and-addresses-of-soldiers-and-secret-agents-using-a-simple-fitness-app/412999257-6756ba27

Nike+ web site no longer accessible - coincidence?

[haus]

If memory serves, about the time frame that this news story first broke, Nike seemed to have taken down their website that had allowed users to take a look at their activity. I wonder if they were worried that they might have a similar problem.

French spies already went there

[manu0601]

French DGSE agency personal were already bitten by this kind of feature.

Even is the data is not public,it can be hacked. It looks very unprofessional for spies and military to fall in this trap, especially given that there was a precedent.

Re:French spies already went there

[AHuxley]

But think of the need for the contractors to relax after a long days government work.
If they don't relax they might get tempted away from the base and talk to waiting Russian spies about the working conditions and low pay.

ROFL

They allow military and spys to have such nonsense.

Re:ROFL

To be a fair at some point not having devices that tattle on you constantly starts to look like you have something to hide and spys kind of rely on people not looking too closely at whether they have anything to hide to do their job.

They *sell* location data

FFS, everyone is *selling* private data via data brokers, location included. How do you think we get Cambridge Analytics and their ilk? Literally buying private data, which included location data and selling it to Russia.

Do you think they followed the Russian woman with men in cars like it's the 60's? No, they simply tracked her smartphone as she visited her father in the UK, then doused their door with nerve agent to kill the pair of them, and maybe a UPS delivery man or similar.

Any number of companies will sell you the location data on your smartphone, and your telco sells that tower location data to hundreds of data brokers for that purpose.

Soldiers with smartphones keeping contact back home to their moms and wives on Facebook and other social media are not exempt from the data selling.

Polar Flow were inept in that they were giving it away for free.

Intelligence services?

I thought people working for them had to be intelligent. Apparently, I was wrong.

Re:Intelligence services?

[tehcyder]

I thought people working for them had to be intelligent. Apparently, I was wrong.

Should have used the stock "military intelligence is an oxymoron" gag instead to save time.

Uhm...news?

[butzwonker]

I've read this "news" a few months ago... or maybe a year ago.

Re:Uhm...news?

Came to say the same... And of course the obligate 'how stupid can secret service personnel be, to expose themselves in such a dumb way'

Ha Ha

[maxbuzz]

Spooks got played.