A popular fitness app PumpUp that claims over six million users was leaking private and sensitive data, including health information and private messages sent between users.
The company left a core backend server, hosted on Amazon’s cloud, exposed without a password, enabling anyone to observe sign-ins and exchanged messages.
According to ZDnet, the server is now secured — but it’s still exposing data when it acts as a broker exchanging user messages. It uses a little-known MQTT protocol normally reserved for communicating with Internet of Things devices and apps, which is low-bandwidth but transitory, so anyone can see the real-time stream of data, rather than accessing a vast centralized data store.
The exposed data included email addresses, dates of birth, gender, and the city or town of the user’s location and timezone. The data also included the user’s app bio, workout and activity goals, and users’ full resolution profile photos, who a user has blocked, and if the user has rated the app.
Security researcher Oliver Hough found the exposed server and contacted ZDNet to investigate.