The leaky API of Echelon, an exercise giant, reportedly gives access to any rider's account information.

Recently after Peloton, another home workout giant, was found to be exposing user information due to leaky API, it is Echelon now. Jan Masters, a researcher at Pan Test partners, has found that its API allows him to access any account data like Name, city, age, sex, weight, phone number, workout statistics, and much more of a member in a live or pre-recorded class.

Zack Whittaker writes in TechCrunch about the incident and how Echelon reacted to the claims. Here is what he has written:

• The leaky API of Echelon lets anyone access user's personal information, including their fitness equipment's serial number.

• The API was supposed to check whether a member's device is authorized to access user data, but it gave it out without any token.

• Another bug allowed its members to pull data of any other members due to weak access control on the API, making it easy to pull out user account ids and information from its servers.

• Though researchers had directly messaged them on their Twitter handle, they didn't hear back for 90 days which was the maximum time given to companies to fix flaws.

• Echelon had told TechCrunch that they had fixed the flaws, but a researcher has raised a dispute that there are still two flaws that are yet to be fixed.

• It also said that it fixed the bug that let children under the age of 13 sign up, but when TechCrunch created an account with an age of less than 13, it was still possible.

What Zluri Thinks?

Data breaches like these cause irreparable loss of reputation to organizations. With data centers moving to the cloud, the surface for a cybersecurity attack broadens. IT leaders must research and implement all possible precautions that their budget offers to prevent such instances from happening.

You can read the full article here.