A loophole in a popular fitness app was recently exploited by unknown individuals to track members of Israeli security forces as they moved around the country’s military bases and even traveled abroad, an online investigation group revealed Tuesday.
According to the investigation, the unknown individuals used a GPS-based feature in the Strava app to create shareable running routes at Israeli army bases and security sites. When these were then utilized by security personnel for exercise, the app exposed their private location-tracking information to the route’s creator, even if they had their security settings at the highest level.
The operation was uncovered by Israeli group FakeReporter and was first reported by The Guardian. The report said the feature in the Strava app could also have been used to track Israeli security personnel as they moved around the world, including while on official business.
FakeReporter said that information on about 100 individuals in the security forces using the Strava fitness app had been compromised, including members of intelligence units and the Israeli Air Force, as well as individuals at the Defense Ministry.
The Guardian said it had seen the data of an individual who appeared to be stationed at a base linked to Israel’s nuclear program, and was able to track that person on visits to other military sites as well as to a foreign country.
The hack exploited routes at six military facilities in Israel, FakeReporter said.
The Guardian said it was unclear who was behind the effort to gather the information, but that they had found a way to track individuals by exploiting a specific feature of the app, even if the user had the strongest privacy settings on their phone and on the app.
The hackers created an anonymous profile on the app under the name “Ez Shl,” giving its location as Boston, Massachusetts. Anyone is able to set up a profile and the user does not need to prove that they are legitimate in any way. It was unknown who had created the user.
That account then used the “segment” feature of the app, which allows users to upload information about a running or bike route so that others can use it and compete against them.
Those routes can be uploaded via the app but also using GPS data. This means that the user doesn’t need to actually have been at the location and Strava has no way of checking whether it is legitimate. In fact, the Guardian said that many routes on the app are clearly artificially generated as they feature impossible speeds and terrain.
The British newspaper said that while users can ramp up their security settings on the app so that their information can generally only be seen by confirmed followers, information on the segments they have run can be seen unless they enter the app’s settings each time to ensure that an individual run or bike ride was hidden.
Unless they made that change — which they were unlikely to know was necessary — their photo, first name and surname initial would be visible on the segments that they had run, a feature The Guardian said was implemented in the app to encourage “friendly competition” between users. Access to profiles can then also reveal past routes taken by the user.
FakeReporter’s executive director, Achiya Schatz, told The Guardian that Israeli authorities were apprised of the breach as soon as they discovered it, and that Strava had then also been told of the issue.
“We contacted the Israeli security forces as soon as we became aware of this security breach. After receiving approval from the security forces to proceed, FakeReporter contacted Strava, and they formed a senior team to address the issue,” Schatz said.
“By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike,” Schatz said.
In a statement to The Guardian, Strava said it had taken “the necessary steps to remedy this situation,” and encouraged users to check the settings on the app “to ensure their selections in Strava represent their intended experience.”
This is not the first time that the Strava app has been caught up in a privacy scandal related to serving members of the military.
Last year, the Haaretz daily reported that a member of the Shin Bet had inadvertently revealed information on overseas travel of officials via the Strava app, including to countries that did not have relations with Israel.
In 2018, Strava Labs released a map showing the movements of its app users around the world, indicating the intensity of travel along a given path — a “direct visualization of Strava’s global network of athletes,” it said.