Archives

api

Peloton’s leaky API let anyone grab rider’s private account data

Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.

My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.

Peloton, the at-home fitness brand synonymous with its indoor stationary bike, has more than three million subscribers. Even President Biden is even said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)

But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics, and if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.

Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

But that deadline came and went, the bug wasn’t fixed, and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.

TechCrunch contacted Peloton after the deadline lapsed to ask why the vulnerability report had been ignored, and Peloton confirmed yesterday that it had fixed the vulnerability. (TechCrunch held this story until the bug was fixed in order to prevent misuse.)

Peloton spokesperson Amelise Lane provided the following statement:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

Masters has since put up a blog post explaining the vulnerabilities in more detail.

Munro, who founded Pen Test Partners, told TechCrunch: “Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.”

But questions remain for Peloton. When asked repeatedly, the company declined to say why it had not responded to Masters’ vulnerability report. It’s also not known if anyone maliciously exploited the vulnerabilities, such as mass-scraping account data.

Facebook, LinkedIn, and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms. But Peloton declined to confirm if it had logs to rule out any malicious exploitation of its leaky API.

Peloton’s leaky API let anyone grab rider’s private account data

Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.

My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.

Peloton, the at-home fitness brand synonymous with its indoor stationary bike, has more than three million subscribers. Even President Biden is even said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)

But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics, and if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.

Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

But that deadline came and went, the bug wasn’t fixed, and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.

TechCrunch contacted Peloton after the deadline lapsed to ask why the vulnerability report had been ignored, and Peloton confirmed yesterday that it had fixed the vulnerability. (TechCrunch held this story until the bug was fixed in order to prevent misuse.)

Peloton spokesperson Amelise Lane provided the following statement:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

Masters has since put up a blog post explaining the vulnerabilities in more detail.

Munro, who founded Pen Test Partners, told TechCrunch: “Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.”

But questions remain for Peloton. When asked repeatedly, the company declined to say why it had not responded to Masters’ vulnerability report. It’s also not known if anyone maliciously exploited the vulnerabilities, such as mass-scraping account data.

Facebook, LinkedIn, and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms. But Peloton declined to confirm if it had logs to rule out any malicious exploitation of its leaky API.

TravelPerk raises $160M in equity and debt after a year of derailed business trips

The pandemic has hammered the travel sector over the past 12 months so you’d be forgiven for feeling a bit of pre-COVID-19 déjà vu at this news: Business trip booking platform TravelPerk is announcing a $160M Series D.

The round, which is a mix of equity and debt funding, is led by London-based growth equity firm Greyhound Capital. Existing investors also participated (specifically: DST, Kinnevik, Target Global, Felix Capital, Spark Capital, Heartcore, LocalGlobe and Amplo).

No valuation is being disclosed, nor is the split between equity and debt. So it’s a bit more of a convoluted ‘vote of confidence’ vs TravelPerk’s pre-pandemic raises — as you’d expect given the locked down year we’ve all had.

The Series D means the 2015-founded Barcelona-based startup has pulled in a total of $294M to-date for its user-friendly retooling of business trip booking geared toward ‘global SMEs’, following a top-up of $60M (in 2019) to its 2018 $44M Series C — which itself fast-followed a $21M Series B that same year.

TravelPerk’s approach is akin to a consumerization play for the (non-enterprise end of) business trip booking, combining what it bills as “the world’s largest bookable travel inventory” — letting users compare, book and invoice trains, cars, flights, hotels and apartments from a range of providers including Kayak, Skyscanner, Expedia, Booking.com, and Airbnb — with tools for businesses to manage and report trips.

There’s the obligatory freemium tier for the smallest teams. It also offers 24/7 traveler support, a flexible booking option and an open API for custom integrations.

There was no funding announcement for TravelPerk in 2020, as investors took a break from the pandemic-struck sector. But earlier this year it told TechCrunch it had been starting to see interest picking up again, as of fall 2020. The closing of a Series D now — albeit debt and equity — suggests VCs are getting over the worst of their travel wobbles.

(Another sign on that front is the $155M Series E raise for U.S.-based TripActions, which closed in January on a $5BN valuation, as U.S. corporate travel lifted off from 2020’s lows.)

TravelPerk’s PR talks bullishly about momentum and using the funds to accelerate ‘global growth’, even as the coronavirus continues to hit parts of Europe and the U.S. — its two main markets — despite what are relatively advanced vaccination rollouts (especially the US) vs other parts of the world.

At the time of writing, COVID-19 is taking a particularly heavy toll on India, where the health system looks to be careening out of control in the face of a massive wave of infections. Parts of Latin America are also struggling. A third of the way through 2021 the pandemic looks far from done. And that makes for a still uncertain outlook for business travel over the coming months.

The typical pre-pandemic business trip is now a Zoom call, while former conference calls may have morphed into emails or group chatter in Slack. And there’s no immediate reason for that to change, given remote-working professionals have had a year to adjust to a richer mix of digital comms tools.

In 2021 it’s hard to imagine an overwhelming return for business travel — not least as plenty of offices remain shuttered. The contagion risk vs hard-to-quantify in-person networking rewards associated with non-essential business trips will surely see work trips remaining a hard sell for a lot of companies.

Still, TravelPerk and its investors are willing to bet that work trips will rebound — in time.

The plan is to be ready to meet what it expects will be a far more ‘moveable feast’ of business travel demand in the future.

“Travel is definitely coming back,” says CEO and co-founder, Avi Meir. “We can see that already with the numbers. In the US for instance, we can see a 70-75% recovery in domestic flights compared to the baseline before COVID-19.

“In Europe it’s a little less certain right now, as vaccine rollout isn’t as fast, but you can look to other parts of the world and with some degree of certainty predict what the European recovery will eventually look like by looking at those examples.”

“We expect the overall global recovery in travel to be uneven over the next year, with different countries reopening at different times, meaning constantly changing guidelines and restrictions,” he goes on. “We’ll continue living in a stage of uncertainty probably for the next 12 months or longer.

“We’ve realised from speaking to our customers that the demand for travel is there, people are eager to do these trips, but this period of uncertainty makes it difficult for them so we’re focused on finding solutions that can address that.”

TravelPerk didn’t sit on its hands last year as global business travel cratered. Instead, it focused on investing in product development, making bets on how it needs to tool up for the new climate of increased uncertainty — including by taking a number of steps toward making its business more resilient to the ravages of COVID-19.

Last October it launched an API — saying it wanted to help the wider travel industry access up to date info on coronavirus restrictions. It also picked up a risk management startup, called Albatross, back in July, to feed its own resilience efforts.

Another more recent acquisition was geared toward scaling its business in the U.S. — where domestic travel looks to be recovering faster than Europe. In January it announced it was buying YC-backed rival NexTravel — gaining a base in Chicago.

At the same time, it inked a partnership with Southwest Airlines to plug a key gap in its U.S. offering.

Meir avoids breaking out any revenue growth projections for the U.S. or Europe for this year or next, when we ask, which suggests he’s preparing for lean growth in the short term.

What he does say is that investors were impressed TravelPerk managed to grow its customer base 2x in 2020 (it now has 3,000+ businesses using its platform, including a bunch of familiar startup names) — and that it avoided making layoffs (when other travel businesses swung the axe).

“Last year we doubled the size of our customer-base and we now have over 3,000 businesses using the platform, including the likes of Wise, Farfetch, GetYourGuide and Monzo. The travel budget under management also increased by almost 100% over the last 12 months,” he tells TechCrunch.

“The reason we had such interest from investors with this round is because we had, given the context, a really good 2020. We doubled our customer base, avoided making layoffs, and most importantly we were there for our customers when they needed us, constantly investing in the product to enable safe travel during Covid.”

The thesis TravelPerk is now working to is that “flexibility, safety and sustainability” will be more important than ever for business travellers, per Meir.

“Flexibility, because travel still has a lot of friction due to the different restrictions and travel lockdowns mean that a trip could be cancelled at really short notice,” says Meir. “Safety, so that every traveler knows not only what specific health requirements are in place at their destination, but also that they will get updates in real time if anything changes. Sustainability, because in this period businesses have been taking stock and realising that we all have to do more in terms of our environmental impact — and of course travel is a big part of this.”

“We have worked hard to respond quickly to these requirements,” he continues. “We updated our product and product roadmap to better match these new needs. Our flexible booking tool FlexiPerk [which TravelPerk happened to launch pre-pandemic, in summer 2019] guarantees refunds on cancelled trips at short notice; our risk-management API TravelSafe keeps travellers updated in real time on local health guidelines and restrictions; and GreenPerk, our sustainability tool, directly reduces carbon emissions through initiatives run by our partner Atmosfair.”

Sustainability and business travel aren’t a natural pairing, however. Certainly not for air travel — where environmental groups accuse carbon offsetting schemes of boiling down to ‘greenwashing’ when what’s really needed to achieve a reduction in CO2e emissions is for people to take fewer flights.

TravelPerk launched its GreenPerk offsetting scheme in February 2020, letting customers pay a fee per carbon tonne to cover its guesstimate of the total emissions toll their trip will generate. But it’s only been applied to 10% of its business volume so far.

With 90% not even being offset, you hardly need to be Greta Thunberg to call that the opposite of ‘sustainable’.

Still, Meir says he expects the offset percentage to “grow rapidly”. “We intend to use this funding to develop GreenPerk even further,” he says, adding: “We want to be the standard bearer for the industry in terms of sustainable business travel.”

However when asked whether TravelPerk might seek to advance sustainability by supporting digital replacement itself (such as by being able to offer its users videoconferencing as an alternative to flying) he declines to comment, saying: “We don’t have anything to share yet on how we’ll advance that goal [sustainability] right now, but we’re working on some exciting ideas!”

Coming up with creative ways to reduce the need for business travel certainly doesn’t feature in TravelPerk’s near term vision.

Meir predicts a “full comeback” for business travel — arguing that “the meetings that matter happen in person” — while conceding that the travel industry will nonetheless be very different. (Hence its goal of “building the products for that [more flexible] future”.)

“We expect to double down on growth in the U.S. and Europe and that includes making key hires across all roles, especially in our hubs in Chicago, London, and Barcelona,” he says, adding that it expects the team to grow “rapidly” in the next 12-24 months (without putting any numbers on the planned hires).

TravelPerk will also continue to eye acquisition targets, per Meir. “Following our first two acquisitions, of Albatross and NexTravel, this funding round will also help us to continue being aggressive in our growth strategy. We aim to complete more acquisitions this year,” he says on that. 

“Whilst many other providers have been in hibernation over the past year, we’ve been aggressive, continuing to update our product and growing our customer base, and we think that gives us a great foundation for growth in 2021 and beyond,” he adds.

Commenting on the Series D in a statement, Pogos Saiadian, investor at Greyhound Capital, said: “There is no doubt that from 2021 onwards the average business trip will look very different to how it did in 2019. We are confident that business travel will recover and thrive in the years ahead. We also believe that people will, more than ever before, need a platform like TravelPerk that has deep inventory, excellent ‘seven-star’ customer service, provides a great traveler experience and integrates with the broader tech-stack.

“We believe that this is a huge long-term opportunity, and as customers ourselves, we see first-hand the tremendous value that TravelPerk provides across organizations, from finance to admin and the travellers themselves. The fact the company is beating growth expectations already for this year further supports our belief that TravelPerk is a true market leader, and we are delighted to be supporting the next stage of the company’s growth with this investment.”