Polar's fitness app exposed its users' sensitive location details

Leslie Hanson
July 9, 2018

In a similar incident, Strava found itself in hot water in January: it released a heat map showing the fitness activity of its users from around the world, which was an attempt to highlight its active user base - but it inadvertently made it possible to figure out how people move around sensitive locations like foreign military bases.

Polar has temporarily suspended a feature on its Flow platform, after it was revealed the app's privacy settings allowed for access to potentially sensitive information of some of its users.

However the investigation claims it was able to obtain details from private profiles as well as public ones.

A joint investigation from De Correspondent and Bellingcat has revealed that Finnish company Polar's fitness app Polar Flow exposed the geolocation details of its users.

The working group used the app to find the names and home addresses of intelligence and secret service employees from different countries. So someone exercising on a military base will not only reveal where the base is, but also where they live as fitness trackers are typically turned off when entering a home, and turned back on when leaving it several hours later (and usually overnight). The two organisations found areas such as a military base, selected an exercise that had been published there, then simply looked at where that same user profile had been.

In all, the investigation was able to identify almost 6,500 people across 69 countries at locations including NSA, the White House, MI6 and Guantanamo Bay.

The individuals whose personal addresses were discovered included employees from the United States' National Security Agency, the UK's Government Communications Headquarters and MI6 as well as Russia's Main Intelligence Directorate or GRU. Users often use their full names in their profiles, accompanied by a profile picture - even if they did not connect their Facebook profile to their Polar account.

The Explore component of Polar Flow was meant to show anonymous data on its users and their activities around the globe, displaying it in a similar fashion to the activity map that was responsible for Strava's woes earlier in the year.

Polar has issued a statement addressing the security loophole, clarifying that there has been no leak or breach of private data, and has apologized for the suspension of its Explore feature.

"Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case", it said.

Other reports by Iphone Fresh

Discuss This Article