Polar Flow, an app developed by Polar, a Finland based sports gadgets manufacture has been found exposing personal and sensitive details of millions of users around the globe including location data of those working for law enforcement organizations, intelligence agencies, and military bases etc. As a result, the company has suspended its Explore feature to avoid further issues.
This was revealed after a joint investigation conducted by De Correspondent, a Dutch news website and Bellingcat, a Briton based citizen journalism website. According to researchers, this is possible due to a critical security flaw in the Polar Flow app which allowed them to scan accounts of 6,500 users including “military personnel, intelligence operatives, and people who work at sites where nuclear weapons are stored.”
Further digging into the data revealed that Polar displays its users exercising activity in one single map and due to the flaw, the activity of millions of users from over 70 countries since 2014 is at risk. Only in the United States, researchers were able to extract the location data of individuals working for the NSA, FBI, American soldiers in Iraq and military personnel stationed at Guantanamo Bay and even airmen involved in battles against the so-called Islamic State (ISIS/ISIL).
User location data in The Netherlands (left) – Location data of users at a military base in Mali (West Africa) Image credit: (BellingCat)
Here is the full preview of what researchers found after exploiting the security flaw in the app:
1: Military personnel exercising at bases known, or strongly suspected, to host nuclear weapons.
2: Individuals exercising at intelligence agencies, as well as embassies, their homes, and other locations.
3: Persons working at the FBI and NSA.
4: Military personnel specialized in Cyber Security, IT, Missile Defence, Intelligence and other sensitive domains.
5: Persons serving on submarines, exercising at a submarine base.
6: Individuals both from management and security working at nuclear power plants.
7: A CEO of a manufacturing company, exercising in locations all over the world.
8: Americans in the Green Zone in Baghdad.
9: Russian soldiers in Crimea.
10: Military personnel at Guantanamo Bay.
11: Troops stationed near the North Korean border.
12: Airmen involved in the battle against the Islamic State.
Polar, on the other hand, has addressed the issue with a statement clarifying that there was no security breach or data leak. The company has also apologized to its users for suspending the Explore feature. Explore is used by athletes all over the world to share and celebrate their training sessions
”Currently, the vast majority of Polar customers maintain the default private profiles and private sessions data settings and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API,” the statement reads.
“We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations.”
This is not the first time when a fitness tracking app has leaked such highly personal and sensitive data. In January this year, the Global Heat Map of GPS tracking and fitness-tracker app Strava also exposed the location data of its users and that also included military bases as well as the daily routines of military personnel.
