Sophos Cloud Optix
Another online fitness tracking app is giving up sensitive information – but this time, it is revealing the names and home locations of government personnel.
Permissive search capabilities in Polar Flow, an online tracking app by Finnish fitness wearables company Polar, has enabled researchers to pinpoint highly sensitive military and intelligence operatives and quickly find out where they live. Furthermore, until Polar shut the app down it was possible to download gigabytes of this information automatically.
Foeke Postma, a volunteer at open source intelligence collective Bellingcat, originally discovered the issue and contacted Dutch news site De Correspondent, who dug into it further. The flaw lay in the way that Polar Flow displayed the details of users’ workouts over several years and allowed people to search for them.
The web app displayed icons in a geographic area of the visitor’s choicer, indicating exactly where someone had worked out. Clicking on an icon revealed the details that the person had registered in the app along with all their other workout locations.
The researchers could use that information to find workout routes that began and ended at the same residential address to pinpoint where they lived.
They also used this technique to identify workouts near sensitive sites such as military bases, detention centres, intelligence offices and nuclear weapons sites. They could then identify employees by name and search their other workouts to find their homes.
Even when people had marked themselves private in the app or registered with a fake name, the reporters were still able to find their identities. Polar Flow still exposed a unique identifying number, and allowed public searches using that ID.
The app revealed all their logged activity to anyone who searched, enabling the reporters to quickly track down the private individual’s home address. From there, a quick public record search revealed their real name.
Searching en masse
Because Polar Flow embedded search queries in web URLs, the reporters were able to create scripts that assembled URLs with their choice of search parameters and sent them to the Polar Flow server directly, bypassing browser-based searches altogether.
They did this en masse, searching individual segments of the map using combinations of GPS coordinates, for all periods since 2014, in three-month chunks. Its automatic script targeted over 200 sensitive locations to produce a list of 60,000 workouts by 6,460 users.
They then programmed another automatic search, querying each of these users’ profile pages and asking for their other workout locations. The application spat out several gigabytes of data – and let the reporters simply download it.
From there, it would have been a relatively simple task to find each person’s frequent workout locations and narrow down their address. Instead, they resisted the temptation to take things all the way, and instead turned the information over to Polar.
According to ZD Net, Polar responded that its systems had not been breached. The company sent it the following statement:
Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data and have made the decision to temporarily suspend the Explore API.
The concern is, of course, that someone else may have accessed this information publicly already. It was a clear example of ‘light leakage’, in which a seemingly innocuous social tool can become the perfect doxxing tool.
Not the first fitness tracker leak
Bellingcat’s Postma began looking into Polar Flow after reading about another fitness app, Strava. This app revealed sensitive locations late last year as part of its Global Heat Map, which was a global map of workout activity – including those at military bases.
“Foeke Postma, a volunteer at open source intelligence collective Bellingcat, originally discovered the issue and contacted Dutch news site De Correspondent, who dug into it further.”
“Instead, they were responsible and turned the information over to Polar.”
Ummm… a bit of contradiction there? Or at least confusion? Turning it over to a news site sure doesn’t seem to me like “responsible” reporting!
I’m inclined to agree – somewhere between contradiciton and confusion IMO.
The use of responsible here means that they didn’t go all the way to proving their point by actually doing the calcualtions to infer everyone’s physical address. I’ll edit the text to replace the words “they were responsible…” with “they resisted the tempation to take things all the way, and instead…”, which makes it a bit clearer what they didn’t do.
Just to clarify here, I was talking about the reporters (referenced four paras up). As I mentioned in the story, Bellingcat found the flaw, and informed the reporters. The reporters did more research, and then before publishing any of their findings they turned the information over to Polar, which then informed the reporters that they had shut off that part of the site. Although there are no regulated disclosure rules to my knowledge, this is in line with Rain Forest Puppy’s general guidelines on disclosure.
It’s also worth pointing out that Bellingcat didn’t publish their own findings until July 8, at which point Polar had already taken down the offending feature. Bellingcat and the reporters worked closely with each other on the story so I imagine this would have been closely co-ordinated. I think both parties acted responsibly.