Rankiteo Blog

PumpUp - Des data et du sens

Anjali -

A popular fitness app, PumpUp, leaked private and sensitive data, including health information and private messages sent between users.

The company left a core backend server, hosted on Amazon's cloud, exposed without a password.

It allowed anyone to see who was signing on and who was sending messages and their contents in real-time.

Each time a user sent a message to another user, the app exposed user profile data and the private contents of that message.

The exposed data included email addresses, dates of birth, gender, and the city or town of the user's location and time zone.

The data also included the user's app bio, workout and activity goals, and users' full resolution profile photos.

The app also exposed user-submitted health information such as height, weight, and other data points, like caffeine and alcohol consumption, smoking frequency, health concerns, medications, and injuries.

Also included in the exposed data was device data, such as iOS and Android advertiser identifiers, users' IP addresses, and session tokens for the app which could be used to gain access to a user's account without needing their password.

Users who signed in using Facebook also had their access tokens exposed, putting their Facebook account at risk.

In some cases, we also found unencrypted credit card data -- including card numbers, expiry dates, and card verification values.

It's not known for how long the server was exposed, but the company was slow to pull the server offline.

We spent over a week trying to inform the company of the breach. ZDNet contacted the company's chief executive Garrett Gottlieb, several of his staff, and even the company's customer support inbox -- but our emails were not returned. The company's backers, General Catalyst -- which invested $2.4 million into the app -- also did not respond to our inquiries.

The server is thought to have been quietly secured earlier this week. We contacted Gottlieb again prior to publication but did not receive a response.

It's not known if the company, which also has an office in San Francisco, will disclose the data breach to regulators in California, which the law mandates. Canada's mandatory data breach notification law comes into effect later this year.

But given how many of the app's users are located in Europe, the company also faces action under the newly implemented EU's General Data Protection Regulation. The law, known as GDPR, came into effect on May 25 and allows regulators to fine companies that violate the new law up to four percent of the firm's global revenue for the previous year.

According to recent research, two-thirds of organizations were not prepared for the new EU law, just weeks before it was implemented.

Source: https://www.zdnet.com/article/fitness-app-pumpup-leaked-health-data-private-messages/

"id": "PUM2236181122",
"linkid": "pumpup",
"type": "Data Leak",
"date": "06/2018",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"