A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services, the portal ZDnet reports.
The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years - simply by modifying the browser's web address.
For most users who set their activity tracking records to public, posting their workouts on Polar's so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user's fitness activity can reveal where a person lives. An exposed location of anyone working at a government or military installation can quickly become a national security risk.
It's the second time this year a fitness app has sparked controversy by revealing the locations of personnel at sensitive installations. Strava changed its privacy settings after word quickly spread that the fitness trackers used by military personnel were exposing the classified routes between bases on the battlefield, making it easy to launch attacks. Much of the controversy was because the companies put the onus of privacy on the user, but many are not aware their information is searchable, let alone accessible by anybody.
Although the existence of many government installations are widely known, the identities of their employees were not. But now, an investigation by Dutch news site De Correspondent and Bellingcatfound that Polar Flow exposed their fitness tracking data. The company's developer API could be improperly queried to retrieve fitness activities, like each running and cycling session, on any user.
With two pairs of coordinates dropped over any sensitive government location or facility, it was possible to find the names of personnel who track their fitness activities dating as far back as 2014.
The reporters identified more than 6,400 users believed to be exercising at sensitive locations, including the NSA, the White House, MI6 in London, and the Guantanamo Bay detention center in Cuba, as well as personnel working on foreign military bases. Names of officers and agents at foreign intelligence services, like GCHQ in Cheltenham, the French DGSE in Paris, and the Russian GRU in Moscow, were also found. Staff at nuclear storage facilities, missile silos, and prisons were also spotted.
De Correspondent shared some of the data with ZDNet to examine. Not only was it possible to see exactly where a user had exercised, it was easy to pinpoint exactly where a user lived, if they started or stopped their fitness tracking as soon as they left their house.
Because there were no limits on how many requests the reporters could make, coupled with easily enumerable user ID numbers, it was possible for anyone -- including malicious actors or foreign intelligence services -- to scrape the fitness activity data on millions of users. But they also found they could trick the API into retrieving fitness tracking data on private profiles.
ZDNet was able to trace one person who exercised nearby to NSA headquarters in Ft. Meade. The user later started his exercise tracking as he left his house in nearby Virginia. Through public records, ZDNet confirmed his name, and his role as a senior military official.
Polar isn't the only fitness tracking company inadvertently exposing user data. Other fitness apps had similar issues, though the reporters said the exposures were not to the same extent as Polar.
Polar apologized for the inconvenience caused by suspending the map. "However our goal is to raise the level of privacy protection and to heighten the awareness of good personal practices when it comes to sharing GPS location data," the company said.
