Peloton API Bug: Expert Commentary

By   ISBuzz Team
Writer , Information Security Buzz | May 10, 2021 06:05 am PST

Peloton bug has permitted an unauthenticated user access to view sensitive information for all users and snoop on live class statistics and its attendees, despite having a private mode. 

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Ben Sadeghipour
Ben Sadeghipour , Head of Hacker Education
InfoSec Expert
May 10, 2021 2:20 pm

<p style=\"font-weight: 400;\">The root cause of the issue is improper authentication, one of the top 10 vulnerabilities hackers find on HackerOne. In fact, we’ve seen the amount organisations pay for improper authentication vulnerabilities increase 36% year over year. When development cycles speed up, there is inevitably going to be a greater chance of introducing vulnerabilities into code so, with the speed of modern development, it’s no surprise vulnerabilities like this keep cropping up. With an obscure domain such as those referenced in this instance, it takes an adversarial approach with proper reconnaissance to identify the assets and the risk they pose to users.</p> <p> </p> <p style=\"font-weight: 400;\">In “Issue 3,” the hacker was able to identify a backend API/system where the vulnerability existed. Since this domain uses graphql, it’s easy to access and enumerate its schema if you have a solid understanding of graphql itself, which many good hackers do. But all of this research hinges on action being taken. Organisations can have the best technology and systems in place, but they’re only so effective without the addition of humans spotting the unexpected and taking immediate action. Therefore, it’s crucial that security teams are empowered to respond to vulnerability reports quickly and effectively to prevent them from being exploited by malicious actors, who could be the next to identify the issue. Having a vulnerability disclosure policy is an important and widely accepted step in ensuring vulnerability findings make it into the right hands to be remediated.</p>

Last edited 2 years ago by Ben Sadeghipour

Recent Posts

Would love your thoughts, please comment.x