Echelon Fitness Leaks PII of Customers Through Severely Insecure API

  • Echelon had a leaky API that exposed very sensitive data about all of its customers.
  • The data security investigation also exposed COPPA violations, as Echelon stored children’s details without parental consent.
  • The company has reportedly ignored the existence of the privacy flaw for months.

Researchers of the PenTestPartners team led by Ken Munro have discovered serious security problems with the API used by Echelon Fitness, a home indoor exercise bike and smart fitness equipment maker. According to the relevant report, Echelon was exposing the sensitive details of its customers, allowing anyone to access it through simple API requests. To make matters worse, the researchers report that these issues were discovered all the way back in January, but Echelon fixed them only last week.

This is very unfortunate when considering how many people relied on exercise machines of this kind during the pandemic and the associated lock-downs that forced people to remain indoors for extended periods of time. Here is what could be harvested from the leaky Echelon API:

  • User IDs
  • Locations (address, zip code, city, state. All of which are populated from your payment info.)
  • Names
  • Email addresses
  • Telephone numbers
  • Stripe IDS
  • Age, Sex, Weight, Birthday
  • Equipment serial numbers
  • Retailer purchased from
  • Subscription dates
  • Badges, workout stats, workout history
Source: PenTestPartners

About ten days ago, we covered a very similar story about Peloton, who is actually a competitor of Echelon. The discovery of Peloton’s security problems came from the same team, and technically, an insecure API was to blame there too. However, the type of data that Echelon exposed was a lot more severe, and the consequences for the customers are now way more troublous.

In the process of finding out exactly how bad the flaws were, the researchers abused the user search functionality, finding several “interesting” users in Echolon’s database.

Source: PenTestPartners

In addition to that, the team found details about users under the age of 13, even though no relevant provisions were in place, so the platform was also violating the COPPA regulations. And on top of that, if a user uploaded a profile image without stripping the metadata first, someone could see their GPS location details, time tags, the device used, etc.

When the PenTestPartners researchers notified Echelon about their findings on January 20, 2021, the company just informed them that the report had been forwarded to the correct department. This was followed by two months of silence despite the researchers’ repeated efforts to get an update on the fixing of the issues. Eventually, the team contacted journalist Zack Whittaker, who “convinced” Echelon to finally do something about their leaky API.

The firm answered by claiming that the issue had been fixed on January 21, 2021 (in 24 hours), and their contracted expert could no longer replicate any problems. The researchers, however, maintain that they could still confirm the existence of the issues until May 7, 2021, so they refute Echelon’s claims.

REVIEW OVERVIEW

Latest

How to Use LiDAR on Your iPhone 13 Pro and Pro Max

Last year, Apple brought LiDAR scanning to its smartphone lineup (after being available on iPad Pro). And this year, that same feature is found...

How to Use Your iPhone 13 Pro and Pro Max Camera

If you’ve already checked iPhone 13’s camera specs, you know that plenty of goodness awaits. Aside from upgraded internals, iOS is now equipped...

How to Watch Sunday Night Football Without Cable in 2021: Schedule, TV Channel, Live Stream

The 2021 NFL season is here, and we can hardly contain our excitement. The opportunity to watch your favorite team in action live...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari