First it was Fitbit giving away secret military locations Now it’s Finnish competitor Polar with security issues…
Andrew Liptak – The Verge – Monday, 9 July 2018
Finnish fitness company Polar has temporarily suspended Explore, its global activity map after a pair of reports from De Correspondent and Bellingcat (via ZDNet) pointed out flaws in the app’s privacy settings that made it easy for someone to locate the location data of users, echoing a similar privacy incident with another fitness app earlier this year. It’s a worrying discovery, as one report was able to use the information to locate the names and addresses of thousands of users who appeared to work for military and intelligence services.
Polar is a Finish company that produces a variety of smart devices, including the Polar Balance smart scale, the M600 smartwatch, and M430 running watch, all of which are connect to the company’s fitness app, Polar Flow. The company’s devices work together to record one’s weight and activity, which can appear on a user’s online profile. Users can have their information included in Explore, but can also opt to have their profiles marked private, which Polar says will prevent the service with sharing that information to third party apps like Facebook.
The joint investigation found that someone could use the data from Polar’s map to locate sensitive military sites, as well as enough information to locate a user’s name and address. User activity was plotted on Explore, including the activities of personnel fighting ISIS in Iraq. But unlike Strava, which was found to simply revealed potentially sensitive location data earlier this year, the reporters were able to dig deeper and locate the names and addresses of Polar users, including military personnel from various military and intelligence agencies around the world.
De Correspondent explains that it found that Polar’s Explore map keeps track of every user’s activity since 2014, and that by using that information, it was able to locate 6,460 users who used the service near sensitive facilities. Because each user was identified with the activity, the reporters were able to use their name and city to cross-reference the information to figure out a user’s home address.
More worrying, De Correspondent notes that Polar Flow had a flaw that allowed them to get information from users who had marked their profiles private and that API didn’t put a cap on the number of requests that someone could make, allowing them to pull up a user’s entire workout history, which they say “made it much easier to determine their home address, where people’s workouts often begin and end.” Bellingcat noted that it was able to scrape Polar’s website for information about specific locations, and gathered up a considerable amount of data.