A popular fitness app has inadvertently exposed the locations of personnel who work for military and intelligence services.
Exploiting Workout Data Recorded By Polar Flow
An investigation by the Dutch news site De Correspondent revealed it is possible to find workout information recorded by Polar Flow and use this to potentially identify the names of employees who work at government buildings and military bases.
The technique involves accessing the developer API from Polar, the Finnish-based company that produces Polar Flow. Using the API, a person with the right know-how can explore not just the public data that users intentionally share, but also the fitness tracking information from users who set their profiles to private, which include those of government spies and military personnel.
The API did not also place a limit on the number of requests that a person could make, which means it is possible for someone to scrape information from millions of users who track their workouts. This access could make it possible to identify people who work at sensitive locations.
Some users of the Polar Flow app prefer to set their activity tracking records to public. For these users, posting their workouts on the Explore map feature is not a privacy issue. It turns out that the feature can also reveal the fitness activities of the users who decided to set their profiles to private and where they live.
This means that the data can be exploited to reveal a person who works at a government or military installations and their locations.
De Correspondent said that the technique simply needs looking up a known government or military installation, finding a work out that was tracked there and exploring the user's other workouts. There is a big chance that the user has also worked out at or near their home.
Using this technique, researchers were able to identify users who work at sensitive locations and identify those who worked at the White House, NSA, the Russian GRU, and British intelligence agency MI6 among others.
In a report, De Correspondent revealed how it managed to track one user believed to be an officer of Dutch state intelligence service across the world and locate his home address.
Polar said that it is now addressing the issue.
"We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations," the company said in a statement