PumpUp, an Ontario-based company, bills itself as a fitness community, allowing subscribers to discover new workouts and record their results, and get advice from fitness coaches and other users.
But the company left a core backend server, hosted on Amazon's cloud, exposed without a password, allowing anyone to see who was signing on and who was sending messages -- and their contents -- in real-time.
Security researcher Oliver Hough found the exposed server and contacted ZDNet to investigate.
The server, now secured, acts as a messaging broker, directing user requests and private messages to other app users. The broker uses the little-known MQTT protocol, which developers often use for communicating with Internet of Things devices and phone apps, thanks to its low bandwidth, which cuts down on server costs and data overheads. The protocol is transitory, so anyone can see the real-time stream of data, rather than accessing a vast centralized data store.
Each time a user sent a message to another user, the app exposed user profile data -- and the private contents of that message.
The exposed data included email addresses, dates of birth, gender, and the city or town of the user's location and timezone. The data also included the user's app bio, workout and activity goals, and users' full resolution profile photos, who a user has blocked, and if the user has rated the app.
The app also exposed user-submitted health information -- such as height, weight, and other data points, like caffeine and alcohol consumption, smoking frequency, health concerns, medications, and injuries.
Also included in the exposed data was device data, such as iOS and Android advertiser identifiers, users' IP addresses, and session tokens for the app which could be used to gain access to a user's account without needing their password.
Users who signed in using Facebook also had their access tokens exposed, putting their Facebook account at risk.
In some cases, we also found unencrypted credit card data -- including card numbers, expiry dates, and card verification values.
It's not known for how long the server was exposed, but the company was slow to pull the server offline.
We spent over a week trying to inform the company of the breach. ZDNet contacted the company's chief executive Garrett Gottlieb, several of his staff, and even the company's customer support inbox -- but our emails were not returned. The company's backers, General Catalyst -- which invested $2.4 million into the app -- also did not respond to our inquiries.
The server is thought to have been quietly secured earlier this week. We contacted Gottlieb again prior to publication but did not receive a response.
It's not known if the company, which also has an office in San Francisco, will disclose the data breach to regulators in California, which the law mandates. Canada's mandatory data breach notification law comes into effect later this year.
But given how many of the app's users are located in Europe, the company also faces action under the newly implemented EU's General Data Protection Regulation. The law, known as GDPR, came into effect on May 25 and allows regulators to fine companies that violate the new law up to four percent of the firm's global revenue for the previous year.
According to recent research, two-thirds of organizations were not prepared for the new EU law, just weeks before it was implemented.