A new example of the risks associated with seemingly innocent data sharing has been uncovered, showcasing how information on Polar Flow, a popular fitness app and activity tracker, can be used to identify government and military personnel around the world. A report indicated that workout data could be used to discover the names of employees at sensitive locations.
The report references an investigation that showed the names of employees at government facilities and military bases could be learned by examining data collected by Polar Flow, according to a report by Gizmodo.
To learn the potentially sensitive details, the developer API from Polar needs to be accessed, granting a person the ability to explore user-shared data as well as profile information, even when the profile was set to private.
Requests for data made through the API aren’t limited, giving a person the ability to pull information from Polar Flow’s millions of users.
When enough data is accumulated, it is possible to identify individuals working at sensitive locations, such as military bases or government buildings, by cross-referencing the information to known installations.
Researchers who discovered the possible use of Polar Flow’s data were able to identify over 6,400 users who they believe work at sensitive locations.
The researchers found employees of the White House, NSA, the Russian GRU, British intelligence agency MI6, and many others.
Data from the fitness app also identified potential staff members of other organizations of a sensitive nature, like prisons, missile silos, and nuclear storage facilities.
Once a potential person of interest is found, other details can be learned by tracking their movements, such as foreign military personnel working out near US government facilities.
After learning of the vulnerability, Polar released a statement acknowledging the issue and stating that the situation would be addressed. However, the potential seriousness of the data exposure was downplayed.
Polar said, “It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”
This isn’t the first instance were fitness data exposed potentially sensitive information. Earlier this year, Strava, a fitness tracking map, received scrutiny after it was found that the heat maps could be used to locate military bases, including some that were not previously disclosed to the public.