For the second time this year, an exercise tracking app has exposed sensitive information on military and intelligence personnel in several countries, including the U.S., U.K., France, and Russia.
Polar Flow is an app created by Finnish-based company Polar that allows users to track their workout times and locations. At issue is the improper exposure of user data to outside queries. This data leak was first identified by the Dutch news outlet De Correspondent, who found they were able to identify over 6,400 user identities working in confidential or classified facilities as well as many of their home addresses.
In this respect, the Polar exposure is worse than the Strava news earlier in the year, which exposed military personnel usage in semi-secret operational camps. The reason: The Polar nay expose a person’s work and home locations.
The journalists at De Corresponent found that Polar’s unprotected API (application programming interface) could also be ‘tricked’ into giving more details about the user’s activity, and that looking up known military or government facilities such as the NSA would provide details on which users worked there, and also where they resided.
Polar’s CSO has denied a data breach or leak, but has since disabled its mapping functionality.
Read De Correspondent’s investigation on Polar here.