Sick of staring at your quarantine-inflicted four walls? Wouldn’t you rather work out on your rowing machine with a professional, live rower as he zips along Boston’s Charles River?
You can, with an immersive, paid subscription service called Kinomap that will plop you into any of its 134,589 miles of cycling, running or rowing courses with videos taken of real-life athletes working out in areas around the world. It hooks up to your smart exercise machine so it can automatically adjust resistance and will show you glorious shots of the outdoors as you work out by yourself, with teams or with friends.
It sounds great, doesn’t it? Unfortunately, this isn’t an advertisement, which of course means that Kinomap has fallen flat on its workout-app face with a huge leak of users’ personally identifiable information (PII).
Security researchers at vpnMentor found Kinomap’s dribbly database during the firm’s ongoing web-mapping project. Its research team, led by Noam Rotem and Ran Locar, use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities, then examine each weakness for data leaks.
The project has uncovered all sorts of leaks: private photos from a photo app, people’s plastic surgery photos, and inmate and jail staff data spilled by a leaky prison app, to name a few examples.
On Tuesday, the vpnMentor researchers said that Kinomap’s database was lying around starkers, completely unsecured and unencrypted. You might have to pay for the subscription service to immerse you in forest greenery, but if you knew where to look, you wouldn’t need to pay anything at all to get at the 42 million Kinomap users’ records that the researchers found.
This is prime time for cybercrooks to be targeting exercise apps like Kinomap, they suggested, given that millions of people are staying at home due to the coronavirus pandemic.
Unable to access their usual forms of exercise, many people will be turning to apps like Kinomap to stay fit and upbeat during the crisis. Hackers will be aware of this and looking for opportunities to exploit the increased user numbers on apps without adequate data security in place.
The records seem to pertain to all Kinomap users, given that the data originated in countries across the world. Some of those countries prioritize citizens’ privacy, the researchers noted. That includes France, which is Kinomap’s home country and which has a vigilant watchdog for a data regulator.
Indeed, Kinomap users can most likely thank France’s National Data Protection Commission (CNIL) for getting this leaky database to shut up. That’s what vpnMentor figures, at any rate, given that Kinomap didn’t respond to its multiple contact attempts. It first found the babbling database on 16 March, tried to reach Kinomap on the 18th and again on the 30th, and reached out to CNIL on 31 March. vpnMentor didn’t hear back, but somebody fixed the leak around 12 April.
Before it got fixed, these are some of the types of data found in the plume of PII the database was exhaling:
- Full names
- Home country
- Email addresses
- Usernames for Kinomap accounts
- Timestamps for exercises
- The date they joined Kinomap
The researchers said they also found personal data leaking more indirectly:
Many of the entries contained links to Kinomap user profiles and records of their account activity. Similar to social media accounts, Kinomap profiles can reveal considerable personal details about a user.
The leak could have enabled attackers to craft fraud schemes and other forms of online attack, they said. Phishing and identity fraud come to mind. So does potential account hijacking, given that many of the exposed records included access keys for Kinomap’s API. That access could have enabled attackers to take over Kinomap accounts and lock out the rightful owners.
What to do?
Kinomap users should keep an eye out for emails or text messages from scammers who might know your account history and your identity. They might use that info to craft a phishing campaign in which they imitate Kinomap and try to trick users into providing credit card info or access to their bank accounts
Attackers might also send an email with a rigged link that leads to malware if you click on it, thus infecting your phone, tablet or whatever device to which you’ve downloaded the Kinomap app.
Kinomap, being under General Data Privacy Regulation (GDPR) jurisdiction, should report the leak, vpnMentor says. The company told me that it’s been notified about a vulnerability that was “immediately fixed.” It’s asked for a third-party audit “to make sure everything is cleared and compliant with GDPR.”
Anybody with an internet-facing database should secure their servers, implement proper access rules, and slap some authentication on it before opening it to the internet.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
2 comments on “Password-free database of exercise app Kinomap leaks 42m user records”
It seems that every month there is a exercise app, health aid, home security system or electronic toy that is compromised by the shear fact that those providing the product did not seem to even try to secure it. But what can you do to try and ensure the products you buy are secure?
– UK: Check or ask if they have been certified with the BSI Kitemark for IoT Devices which includes “penetration testing scanning for vulnerabilities and security flaws”. This has been operating since 2018 and I have been unable as yet to find how many products are certified so far.
– EU: There is an IoT category of the CE mark but whilst it mentions electromagnetic interference etc. I have seen no evidence of data or cyber security aspects to this.
– USA: As far as there is only really the FCC which I believe is about electromagnetic interference and not cyber security of products.
Really it is up to us to ask legislative representatives about how are they compelling the manufacturers of the possibly dozens of IoT devices in our homes to keep our personal lives personal.
…or just stay clear of the IoT!