The vulnerability that allowed virtually anyone to identify individuals working at top-secret locations, such as military bases overseas, by sifting through exercise regimens of people in that area, has been jointly reported by Bellingcat and the Netherlands' De Correspondent.
Polar is the manufacturer of such popular running watches as the Polar M200 and M400, as well as fitness-oriented smart watches like the Polar M430 and M600, while its Polar Flow app is used to organize and view user data.
While Polar is hardly the only company to display users' workout data and profiles (Strava, Runkeeper and Endomondo do this as well), its map was the only one that let the reporters see every fitness routine recorded all the way back to 2014.
However the investigation claims it was able to obtain details from private profiles as well as public ones. According to the investigation, the app's activity tracking map (named "Explore") exposed the home addresses of thousands of users, including soldiers and secret agents. It then becomes a very simple task to find an individual who works at a military base, including their name and what they look like, but also where they live. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map.
"We were able to scrape Polar's site. for individuals' exercise at 200-plus. sensitive sites, and we gathered a list of almost 6500 unique users", researcher Foeke Postma wrote.
The individuals whose personal addresses were discovered included employees from the United States' National Security Agency, the UK's Government Communications Headquarters and MI6 as well as Russia's Main Intelligence Directorate or GRU. Even sensitive personnel often used their real names, making them easy to identify.
"We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing Global Positioning System files of sensitive locations", Polar said in the statement. On Friday, the company issued a statement in which it said that it did not leak users' private information and that there had been no data breach affecting private data.
"Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case", it said.
If that wasn't bad enough, many Polar users are publicly sharing their full names and providing a profile picture.