The developer of a popular fitness app has been forced to suspend one of its core services after reporters found a way to track the location and uncover the identity of thousands of military personnel.
Finnish firm Polar produces a variety of devices and the Polar Flow app, which claims to allow users to make their profiles private.
However, according to reports in the Dutch media and UK site Bellingcat, an API error exposed the fitness activities of private users all the way back to 2014.
It was simple from the information to spot where the user was exercising and where they lived, based on the map.
Over 6400 users were apparently identified in locations such as MI6, the White House, the NSA and military bases including Bagram Airfield in Afghanistan.
Polar responded on Friday by suspending the Flow Explore feature, and implementing “corrective actions.”
The firm explained that the problem stemmed from users which had run both public and private sessions on the app and could be linked by their unique User Identifier (UID).
“With the help of this identifying UID it was possible to retrieve users public training sessions by altering the search parameters in the browser. By doing this, the training sessions belonging to a private profile could be linked to each other. Training sessions that have not been set to public by the user are not displayed publicly,” it continued.
“When there are multiple public training sessions that always start and end in the same location, it is possible to deduce potential points of interests associated with the user. The same method also worked the other way round: one could first find sessions in a specific location and then search for these users’ other training sessions. This was especially unfortunate, for example, for military personnel and intelligence agents.”
The discovery comes just a few months after fitness app Strava was found to be revealing potentially sensitive information about military bases and supply routes via its global heat-map website.