top of page


  • Chris Bratton - Tech Journalist

A bug in Peloton’s API may leak sensitive user

Peloton fitness bikes received some criticism due to a recent event about the API bug. It is said that the bug is leaking user information and could potentially cause more harm. The threat is not significant at the moment, but where privacy is a concern, it is an important issue. Exposed API has the potential to leak sensitive user information to hackers.

These fitness equipments are connected to the production server that syncs real-time data and shows health information and updates on screen. In an earlier notice, Peloton fitness bikes did the same thing with security exposure. Hackers could quickly gain access to the API and extract both authenticated and unauthenticated customer information. These data can be modified to track specific users.

Generally, customer information contains username, email, contact info, billing address, etc. But for this kind of exposure, user's wellbeing details could also leak. Pen Test Partners investigated the matter thoroughly and sent back relevant news on the bug. According to them, User ID, instructor ID, group membership, location, workout stats, gender & age, inside studio or outside, are the kinds of disclosures. Peloton has 3 million subscribers who use the bike actively and over 1 million connected fitness subscribers, whose data may be compromised.

Bugs related to API can break into several issues like functionality, reliability, security. There are also performance and classification issues. Peloton's API bug is no different. All these data can be easily extracted via API as it can even control which data to sync with the server. That simultaneously shows on the customer display. Peloton users can jam together in online sessions, which gives a sense of working out together like in the gym when they are actually doing it at home. Class data, last location, etc., are still leaking by the API bug.

Ninety days after the bug was reported, we expect Peloton to fix and address the issue as we don't like our data to be shared with outsiders. But through a coordinated vulnerability disclosure program, we learned that some data is still leaking. Experts submitted reports through the CVD program and still working on the issue.

The internet-connected fitness bike with screen became a sensation after launch, and many people chose Peloton over other exercise equipment's. The subscription plan takes a respectable amount beforehand, and there is a monthly subscription package that lets customers join live classes. Classes are held by professionally certified cycling instructors and many other people for a flat rate of $39. Many stay on for more than one classes as they made things exciting within the touch screen, and it's helping people stay in shape the fun way. But the leakage is not to be overseen. Even the white house was supposed to have Peloton's bike for president. But security officials forbid President Biden not to.

Members who kept their account information private may have also been compromised in the data exposure. Peloton's CISO briefed about the flaws in the press as far as we know. Jan Masters, a security researcher at Pen Test Partners, experimented with the API and found out unauthenticated requests can be made, and in response, helpful user data can be mined. API allows the user device to talk to internet and sync with company servers. The bike was doing the same but with potential flaws, and we don't know how long the API has been exposed. Even before making this news public and for their safety, a report was sent to Peloton first. After a 90-day deadline, as we mentioned, the news made it to people. In response to the API request, we can receive customer data discussed previously. On 5th May, Peloton responded that the vulnerabilities were primarily fixed, and it took them seven days. They also mentioned, "It's a shame that our disclosure wasn't responded to on time and also a shame that we had to involve a journalist to get listened to."


bottom of page