A fitness app called Polar Flow has exposed the home and work locations of scores of soldiers and spies across the globe.
Developed by Finland-based fitness-tracking giant Polar, the app inadvertently exposed its users’ fitness data dating back to 2014 simply by altering the browser’s web address.
“The manufacturing company known for making the world’s first wireless heart-rate monitor uses its site ‘Polar Flow’ as a social platform where users can share their runs,” stated a report of an investigation conducted by Bellingcat researchers and journalists at De Correspondent. “Compared to the similar services of Garmin and Strava, Polar publicizes more data per user in a more accessible way, with potentially disastrous results.”
Polar exposed users’ heart rates, dates, times, routes, duration of workouts and pace of exercises carried out at military bases and suspected nuclear weapons storage facilities. The app also revealed the location of military personnel in the Green Zone in Baghdad, intelligence agencies and agents’ home addresses, airmen combating ISIS and more.
“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” Bellingcat researchers said. “From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name.”
The app also exposed sensitive information of FBI and NSA officials, as well as military personnel specialized in military defense, cybersecurity and other classified domains.
Given the breadth of data exposed by the app, it would be fairly simple for anyone to obtain a soldier’s home location, photograph, time of deployment and mission role.
This information could easily be used by extremists or adversary intelligence services, potentially resulting in catastrophe.
“The security implications are obviously grave. In countries where soldiers were banned from wearing their uniforms on the street in the off-chance that they would run into a potential terrorist, addresses and living patterns can now be found easily by anyone with internet access and the wits to use Polar’s site,” Bellingcat researchers noted.
Polar has temporarily disabled the global activity map feature which exposed soldiers’ and spies’ sensitive data.
“We apologize for the situation. We have already implemented corrective actions and continue to take additional measures as a precaution. As a result, the Flow Explore feature has been disabled until further notice,” Polar said in a statement.
“While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”
The breach comes just months after the massive Strava app breach, which also saw the fitness app tracking and revealing the location of military personnel working out at classified military bases.
The breach involved the fitness app exposing every single fitness activity uploaded to the app. Strava’s heatmap feature resulted in anyone being able to map out the location of military bases across the globe. Strava reportedly said that it would work with the US military personnel to address the issues. However, the Pentagon and the Australian military both said that they were considering taking action to prevent such breaches.