Fitness app PumpUp has been revealed to be leaking private and sensitive data, including health information and messages sent privately between users.
The Ontario-based company, which has over six million users – including many located in Europe – had left a core backend server, which was hosted on Amazon’s cloud, exposed and not password-protected. Anyone who came across it was able to access the information.
According to ZDNet, every time a message was sent, the app exposed the contents of the message, and the contents of the associated user profiles. Profile data exposed included the user’s email address, date of birth, gender, location, timezone, device data, IP address, biography, workout and activity goals, full-resolution profile photos, lists of blocked users, height, weight, caffeine and alcohol consumption, smoking frequency, and details of any health concerns, medications and injuries. In some cases, unencrypted payment card data was also exposed, including card number, verification values, and expiry dates. Some of the accounts belonged to under-18s.
The user’s session token both for the app and, if the user had logged in via Facebook, for Facebook, were also exposed. These could then be used to grant access to the user’s account without knowing their password.
However, CEO Garrett Gottlieb said: “As a result of a scheduled server update, a very limited amount of user information was left unsecured. This included the credit card numbers of less than 10 clients and user messaging related to the topic of personal training.”
The exposed server was found by security researcher Oliver Hough, and has now been secured. It’s unclear how long the server had been exposed, or if anyone other than Hough found it
“Beyond the security researcher who originally came across the vulnerability, we are not aware of any other individuals who were aware of this situation or who had access to any of the data,” said Gottlieb. He added that the users impacted by the leak would be notified and offered a lifetime subscription.