On January 20, 2021, security researcher Jan Masters discovered a critical misconfiguration in Peloton's API that exposed private user data for over three million subscribers. Despite users setting their profiles to private, the fitness company's API endpoints leaked personal information including age, gender, city, weight, and workout statistics to anyone on the internet. The vulnerability persisted for over 90 days after initial disclosure, highlighting a systemic problem that plagues modern APIs: security misconfiguration.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Security Misconfiguration

  • Roman Canlas

摘要

On January 20, 2021, security researcher Jan Masters discovered a critical misconfiguration in Peloton's API that exposed private user data for over three million subscribers. Despite users setting their profiles to private, the fitness company's API endpoints leaked personal information including age, gender, city, weight, and workout statistics to anyone on the internet. The vulnerability persisted for over 90 days after initial disclosure, highlighting a systemic problem that plagues modern APIs: security misconfiguration.