Security Misconfiguration
摘要
On January 20, 2021, security researcher Jan Masters discovered a critical misconfiguration in Peloton's API that exposed private user data for over three million subscribers. Despite users setting their profiles to private, the fitness company's API endpoints leaked personal information including age, gender, city, weight, and workout statistics to anyone on the internet. The vulnerability persisted for over 90 days after initial disclosure, highlighting a systemic problem that plagues modern APIs: security misconfiguration.