A flaw in the popular fitness app Strava has recently allowed threat actors to uncover the location and movements of Israeli officials at secret bases.
The full story can be read here:
https://www.bbc.co.uk/news/world-middle-east-61879383
FakeReporter, an Israeli group that combats malicious online activity, reported that a suspicious user named “Ez Shehl” had exploited these functions to upload fake GPS data to create route segments inside secret facilities associated with Israel’s military.
As with any application, no matter how innocuous, bad actors will probe for and exploit vulnerabilities in order to harvest sensitive data; in this case with serious national security implications.
This story highlights a dilemma between users wanting social interaction via sharing their data and the privacy of that data. Quite simply, users cannot have their cake and eat it. As shown in this case, the use of cloud based storage will always pose a significant risk. We need to move to a model where data is mastered on device and is only shared with chosen individuals via a key exchange mechanism. With such an approach, nobody else, including Strava, would be able to read that data. However, with companies such as Strava seeing great value in user data this is clearly an unattractive business proposition.