Fitness app PumpUp leaked health data, private messages
A popular fitness app that claims over six million users was leaking private and sensitive data, including health information and private messages sent between users. PumpUp, an Ontario-based company, bills itself as a fitness community, allowing subscribers to discover new workouts and record their results, and get advice from fitness coaches and other users. But the company left a core backend server, hosted on Amazon’s cloud, exposed without a password, allowing anyone to see who was signing on and who was sending messages — and their contents — in real-time.
The server, now secured, acts as a messaging broker, directing user requests and private messages to other app users. The broker uses the little-known MQTT protocol, which developers often use for communicating with Internet of Things devices and phone apps, thanks to its low bandwidth, which cuts down on server costs and data overheads. The protocol is transitory, so anyone can see the real-time stream of data, rather than accessing a vast centralized data store.
Each time a user sent a message to another user, the app exposed user profile data — and the private contents of that message. The exposed data included email addresses, dates of birth, gender, and the city or town of the user’s location and timezone. The data also included the user’s app bio, workout and activity goals, and users’ full resolution profile photos, who a user has blocked, and if the user has rated the app.