Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fitness App Polar Exposed Locations of Spies and Military Personnel (zdnet.com)

Posted by msmash on from the privacy-woes dept.

An anonymous reader writes: A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services. The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years -- simply by modifying the browser's web address. Although the existence of many government installations are widely known, the identities of their employees were not.

Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived, if they started or stopped their fitness tracking as soon as they left their house. Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone -- including malicious actors or foreign intelligence services -- to scrape the fitness activity data on millions of users. But they also found they could trick the API into retrieving fitness tracking data on private profiles.

13 of 29 comments (clear)

  1. Re: Nothing "inadvertent" about it by Anonymous Coward · · Score: 1

    The only thing stupid was trusting s fitness company to have pay attention to keeping private profile information ptivate.

    I agree, those who need to keep their locations secure should probably rethink any app or device that records activity. But, I also think the headline is a bit sensational.

    But to bring the risk into focus for people in general. This kind of app could also let people know when your house may be empty by showing your workout routine.

  2. Old news on /. by schwit1 · · Score: 5, Informative

    https://yro.slashdot.org/story...
    https://tech.slashdot.org/stor...

    1. Re:Old news on /. by CaseCrash · · Score: 2

      Thank you, my first thought was "Didn't this happen months ago?" I guess this is another company and no one learned their lesson last time :P

      --
      No, that link you posted to a web comic we've all seen a hundred times is not "obligatory."
    2. Re:Old news on /. by Anonymous Coward · · Score: 2, Informative

      There's a significant difference. With Strava, the problem was that people were publishing data as public when they should not have been. This time, users have learned to mark private data as private, but it's getting leaked anyway.

    3. Re:Old news on /. by AHuxley · · Score: 1

      Data sets just keep on giving. Contractors everywhere are always online.
      Typewriter and gym with 1980's wrist watch that only tells time is looking like a very advanced security policy.

      --
      Domestic spying is now "Benign Information Gathering"
  3. Darwin. by Gravis+Zero · · Score: 1

    I think this nicely illustrates what "survival of the fittest" really means. ;)

    --
    Anons need not reply. Questions end with a question mark.
  4. Nike+ web site no longer accessible - coincidence? by haus · · Score: 1

    If memory serves, about the time frame that this news story first broke, Nike seemed to have taken down their website that had allowed users to take a look at their activity. I wonder if they were worried that they might have a similar problem.

  5. French spies already went there by manu0601 · · Score: 1

    French DGSE agency personal were already bitten by this kind of feature.

    Even is the data is not public,it can be hacked. It looks very unprofessional for spies and military to fall in this trap, especially given that there was a precedent.

    1. Re:French spies already went there by AHuxley · · Score: 1

      But think of the need for the contractors to relax after a long days government work.
      If they don't relax they might get tempted away from the base and talk to waiting Russian spies about the working conditions and low pay.

      --
      Domestic spying is now "Benign Information Gathering"
  6. Re:Alternative title by AHuxley · · Score: 1

    Re 'And why isn't telling them to not do that part of the basic training?"
    NSA and GCHQ cant set security conditions anymore. Contractors and staff have to be free to enjoy their electronic devices on any mission so they don't get upset.
    Contractors and mil staff who get upset have a list of grievances.
    Staff walk around and need a friend to talk to about the bad working conditions.
    Other nations spies are only to happy to become friends and listen.

    To stop that emotional build up of unhappiness contractors and gov/mil get to be happy. With the consumer electronics, computers, games, devices all networked.
    Boredom is the path to the risky side. Risk leads to seeking out fun. Fun leads to a den of spies. Spies open the pathway to split loyalty.
    It took the US and UK gov into the 1970's and a lot of money to finally discover why the Soviet Union was able to get generations of most trusted US and UK staff to spy for them.
    Low pay and really bad working conditions allowed Soviet spies to make new friends around the most secret and sensitive US and UK mil sites.

    --
    Domestic spying is now "Benign Information Gathering"
  7. Uhm...news? by butzwonker · · Score: 1

    I've read this "news" a few months ago... or maybe a year ago.

  8. Re:Intelligence services? by tehcyder · · Score: 1

    I thought people working for them had to be intelligent. Apparently, I was wrong.

    Should have used the stock "military intelligence is an oxymoron" gag instead to save time.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  9. Ha Ha by maxbuzz · · Score: 1

    Spooks got played.