Strava, an online service for athletes, has exposed sensitive information about military and intelligence officials by storing and disclosing its customers' workout data. This is reported by the Israeli newspaper Haaretz, citing the FakeReporter portal. The maps with running routes and times were visible to everyone via detours.
The Strava app vulnerability, uncovered by Israeli open-source investigative group FakeReporter, also exposed a number of highly sensitive locations in Israel, including the exact locations of army and air force bases, Mossad headquarters and military intelligence bases.
With a few tricks, it was possible to find track segments in Israeli military and secret service facilities on Strava and get personal data on about 100 people. Strava did not have sufficient protection against this. Users could not prevent this even with the strictest privacy settings.
Strava Privacy Gap
“The Strava privacy breach is a prime example of how cybercriminals use seemingly harmless applications and infrastructure to obtain sensitive information about other users. The fact that this isn't the first time Strava has come under fire over such a bug is all the more surprising, and shows that companies - no matter how well-known and popular their platform may be - still have a lot of work to do in order to secure their services. All too often, security and privacy are an afterthought in the software development process,” said Ian McShane, Arctic Wolf vice president, strategy.
IoT devices and wearables
“With the proliferation of IoT devices and wearables, the risk of criminals gaining access to private individuals' data is also increasing. Even if they assume their information is protected and the device or app settings indicate the information is private. It is the responsibility of the companies that develop and sell these devices to improve security. They must ensure that criminals cannot use simple tricks such as manipulating a GPS-tracked running unit to gain access to personal data, which could then be used for phishing campaigns or even more questionable activities.”
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.