Fitify, a widely used fitness application boasting over 25 million installs, recently faced a significant data exposure incident due to a misconfigured Google cloud storage bucket. In early May, researchers from Cybernews identified that this Fitify-owned bucket was publicly accessible, allowing anyone to view its contents without requiring any passwords or security keys. While the exposed files included a range of materials such as workout plans and instruction videos, the most concerning discovery was the presence of highly sensitive user-uploaded content, specifically progress pictures and body scans.
The nature of these leaked images amplifies the severity of the breach. Users of Fitify, often aiming to track their body transformations, frequently upload “progress pictures” and utilize “body scans” that depict them in minimal clothing to clearly showcase changes in weight loss or muscle growth. This makes the exposed images exceptionally private, something users would typically prefer to keep confidential. Despite Fitify’s Google Play store description reassuring users that “data is encrypted in transit,” the discovery demonstrated that data was not sufficiently protected “at rest,” undermining user trust in the app’s stated security measures.
The extent of the Fitify data leak was substantial. The now-secured Google cloud storage bucket contained a staggering total of 373,000 files. Among these, 206,000 were user profile photos, and a significant 138,000 were explicitly labeled as progress pictures. Furthermore, 13,000 files were attached to messages with the app’s “AI coach,” and another 6,000 files constituted “Body Scan” data, complete with images and associated AI metadata. This comprehensive exposure encompassed deeply personal visual information, directly contradicting the expected privacy for an app designed to help users with their intimate fitness journeys.
Beyond the misconfigured cloud storage bucket, the Cybernews investigation also uncovered further security vulnerabilities within the Fitify application itself.
By analyzing a dataset of iOS apps, researchers found that Fitify’s application code contained hardcoded secrets, including Android and Google Client IDs, Google API Keys, Firebase URLs, and Project IDs. These hardcoded credentials, particularly those for the development environment, could potentially be exploited by attackers to gain access to even more customer data and the application’s backend infrastructure. This indicates that the misconfigured cloud storage was not an isolated incident but rather symptomatic of broader security oversight.
Upon being contacted by Cybernews researchers, Fitify Workouts, the company behind the app, acted swiftly to address the issue. The exposed Google cloud storage instance was promptly closed and removed from public accessibility. While this swift action mitigated further immediate risk, the incident underscores the critical importance of robust access controls, secure storage practices, and comprehensive security audits for applications handling sensitive user data, especially those within the health and fitness sector where personal information is often deeply intimate.
Reference: