Strava data breach

Strava data breach

Using the fitness-tracking app Strava, malicious users have been spying on Israeli military and Mosaad personnel.

How can a Social Fitness Application spy on Mossad?

Using the fitness-tracking app Strava, malicious users have been spying on Israeli military personnel. They have been able to map their movements and follow them through secret facilities all over the country.

Click If you’re looking to learn about what is business logic

Introduction to Strava history

The Strava app is a GPS-based app that is designed for athletes of all levels to track their progress and performance. The app allows users to see their personal bests, compare their times with others, and set goals. The app also provides a feed of recent activity from friends and fellow athletes. It’s a sort of social media for athletes.

In November 2017, Strava released their global heatmap. more than 3 trillion GPS points from their users (turning off data sharing is an option). It looks very pretty, but not very practical in terms of privacy and confidentiality. US bases were clearly identifiable and mappable.

While only the location of a subject would be visible from a heat map, it’s not all that complicated to integrate personal data into the map and derive the person’s identity. In 2018, secret information about where military bases and outposts are around the world was made public.

Area 51

Strava claimed when it released the heatmap, an updated version of one it had previously published in 2015, that “this update includes six times more data than before—in total 1 billion activities from all Strava data through September 2017.”

Our global heatmap is the largest, richest, and most attractive dataset of its type.

It is a direct representation of Strava’s worldwide athlete network.”

This was a short introduction to Strava, which was already known to share information about its users.

But The Guardian reported yesterday that an anonymous user has been using the app to find Israeli soldiers at top-secret locations and military outposts.

The security breach comes from a cybersecurity company named “FakeReporter“.

The operation – of which has not been revealed – was able to keep tabs on people who were exercising on the grounds by installing fake “segments” inside military bases, even those who had applied the strongest possible account privacy settings.

The fake segment solution also gets around some of Strava’s privacy restrictions. Users can restrict access to their accounts to just “followers,” preventing prying eyes from following their travels over time.

But if they don’t also set each run to be actively protected, their profile picture, first name, and initials will show up on segments they’ve run in the spirit of friendly competition.

People can still be found on the map if enough segments are spread out. For example, one user tracked the person’s participation in a public race, which they won, as well as their jogging in secure military institutions.

Some were even discovered within locations associated with its highly secure nuclear program. The identity of Severals’ confidential agent was disclosed.

So the question is…

If the application was vulnerable to business logic before, how can it still be vulnerable today?

Despite the fact that we are talking about two different application features (in 2018 that was the heatmap, today it is the fake segment), Strava has a different philosophy about data privacy.

Strava seems to want its users to be responsible for keeping their personal information safe. It offers different ways to protect an account, but the process isn’t very appealing.

Strava’s response to the uproar was to tell military users that they could choose not to use its visualization, saying that the information was already public because it was uploaded by users.

Two months ago, Israel’s fake segments were brought to Strava’s attention for the first time.

What did Strava do?

The company removed them.

Does it really help? It doesn’t change anything; the insecure design has not changed, and the system is still vulnerable and open to scraping and business logic abuse.

Any user can upload a new segment even if they do not physically exist, which basically means that my cat (Paws) can track people and draw maps of secret bases.

Why is the actual vulnerability more famous?

Not because IDF troops and Mossad are being tracked.

The reason is that segments can lead to a greater security risk.

The heatmap disclosed only details about where the military might be.

On the other hand, segments leak all the details about the people that can be found in a military base.

In conclusion

The Strava app is a GPS-based app that allows athletes of all levels to track their progress and performance. Hackers were able to access the personal data of millions of users. The breach was caused by a flaw in the app’s security that allowed hackers to impersonate users and gain access to their data. In 2018, secret information about US military bases and outposts around the world was made public. “Any country in the world is vulnerable to this manipulation,” says Achiya Schatz, FakeReporter’s executive director. Not because IDF troops and Mossad are being tracked.

On a more personal note, turn off your tracking and stop cyberlacking.

The writer Nathan Sitbon focuses on application security. Nathan earned his CEH in 2018 and works in cybersecurity. Computer forensics and data recovery were his first jobs. From there, he moved into penetration testing and was among the first to join BLST Security, doing penetration tests for worldwide organizations and government agencies and contributing to the company’s main product by integrating complicated API attack vectors. He also writes on this topic.

Touchless API Discovery
Discover all unknown APIs in your organization & reduce cloud costs.
• Powered by BLST Security
Share this article
Subscribe for weekly API Security news