Echelon exposed riders' account data, thanks to a leaky API

Image Credits: Echelon (stock image) Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information. Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers, and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment. But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday, and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number. Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it. Echelon’s API allows its members’ devices and apps to talk with Echelon’s servers over the internet. The API…
Read More