Finnish fitness company Polar has temporarily suspended Explore, its global activity map after a pair of reports from De Correspondent and Bellingcat (via ZDNet) pointed out flaws in the app’s privacy settings that made it easy for someone to locate the location data of users, echoing a similar privacy incident with another fitness app earlier this year. It’s a worrying discovery, as one report was able to use the information to locate the names and addresses of thousands of users who appeared to work for military and intelligence services.
Polar is a Finish company that produces a variety of smart devices, including the Polar Balance smart scale, the M600 smartwatch, and M430 running watch, all of which are connect to the company’s fitness app, Polar Flow. The company’s devices work together to record one’s weight and activity, which can appear on a user’s online profile. Users can have their information included in Explore, but can also opt to have their profiles marked private, which Polar says will prevent the service with sharing that information to third party apps like Facebook.
The joint investigation found that someone could use the data from Polar’s map to locate sensitive military sites, as well as enough information to locate a user’s name and address. User activity was plotted on Explore, including the activities of personnel fighting ISIS in Iraq. But unlike Strava, which was found to simply revealed potentially sensitive location data earlier this year, the reporters were able to dig deeper and locate the names and addresses of Polar users, including military personnel from various military and intelligence agencies around the world.
De Correspondent explains that it found that Polar’s Explore map keeps track of every user’s activity since 2014, and that by using that information, it was able to locate 6,460 users who used the service near sensitive facilities. Because each user was identified with the activity, the reporters were able to use their name and city to cross-reference the information to figure out a user’s home address.
More worrying, De Correspondent notes that Polar Flow had a flaw that allowed them to get information from users who had marked their profiles private and that API didn’t put a cap on the number of requests that someone could make, allowing them to pull up a user’s entire workout history, which they say “made it much easier to determine their home address, where people’s workouts often begin and end.” Bellingcat noted that it was able to scrape Polar’s website for information about specific locations, and gathered up a considerable amount of data.
In light of the reports, Polar issued a statement on Friday, apologizing for the oversight and that it was suspending the Explore feature in the Flow app, explained that there had been no breach of private data, and that it is “analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations.”
Earlier this year, fitness platform Strava made headlines when a researcher pointed that its heat map revealed the locations of military installations in places like Turkey and Afghanistan, potentially exposing the activities and routines of soldiers in remote bases, while security researchers found that its privacy features were pretty weak. The company quietly streamlined its opt-out feature for its heat map shortly after the revelation, and said that it it would add new restrictions and refresh its data monthly to prevent the accumulation of data that worried security experts. This latest incident is another in a long string of examples of where companies don’t put stringent security requirements on the data that they accumulate, which could potentially be exploited by bad actors.