Fitness company Polar was forced to suspend its activity map after it was used to unmask some 6,500 military and intelligence officers, including those at nuclear sites, in combat in Syria and stationed at the North Korean border.
The vulnerability that allowed virtually anyone to identify individuals working at top-secret locations, such as military bases overseas, by sifting through exercise regimens of people in that area, has been jointly reported by Bellingcat and the Netherlands De Correspondent.
The revelation was made possible thanks to the Finnish company's Polar Flow feature that shows workout activity of the users of its app down to the tiniest detail on a global searchable map. Polar, unlike some other apps, tracks and publishes exercise information in full, including routes, dates, time, duration and place of the exercise. By analyzing the start and end points of workouts, it is reportedly possible to locate the homes of users. From there, hundreds of servicemen were identified by searching social media for their full names, which they chose to provide publicly on the Polar app.
The task was relatively easy, as the app has tracked all activity since 2014 and has collected a vast pool of data for each of its users, the investigators say. As a result, some 6,500 unique users have been identified. Among them are US troops in Iraq, Syria, Guantanamo Bay, those deployed to the demilitarized zone separating the two Koreas, staffers at the FBI and NSA, military intelligence and cyber security specialists and many others stationed at bases in Africa, South Asia and the Middle East.
While the app has been most popular in the West, investigators claimed they managed to unearth the identities and home addresses of the Russian military in Crimea.
Making your data really private on Polar Flow used to require a number of non-obvious steps, which most users apparently either didn't know about or didn't bother with. Even if all hoops had been jumped, data like names, locations and photos remain publicly available, and it is still possible to retrieve a user's ID and establish that different exercise sessions belonged to the same user.
The practice was in effect for over three years and only ended in August last year when the company made the most private option its default setting.
After apparently being notified about the report on its flaws, Polar announced on Friday it was "temporarily" shutting down the Explore API feature, used in Flow. In a statement, the company said that it has "recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations."
Falling short of acknowledging its responsibility for the potentially disastrous data leak, Polar instead pinned the blame on the users themselves, noting that "the decision to opt-in and share training sessions and GPS location data is a choice and responsibility of the customer."
It also stressed that the vast majority of its customers have been using the default private settings and will not have been impacted.
The case of the Finland-based company bears many similarities with that of fitness tracking app Strava, which involuntarily exposed the possible locations of many sensitive sites and military personnel on secret missions in combat zones. In the wake of the scandal, Strava updated its all-too-revealing global heat map, tightening user privacy.