A popular fitness app that tracks the activity data on millions of users has inadvertently revealed the locations of personnel working at military bases and intelligence services.
The app, Polar Flow, built by its eponymous company Polar, a Finnish-based fitness tracking giant with offices in New York, allowed anyone to access a user's fitness activities over several years -- simply by modifying the browser's web address.
For most users who set their activity tracking records to public, posting their workouts on Polar's so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user's fitness activity can reveal where a person lives.
An exposed location of anyone working at a government or military installation can quickly become a national security risk.
It's the second time this year a fitness app has sparked controversy by revealing the locations of personnel at sensitive installations. Strava was forced to pull its maps offline[1] and change its privacy settings after word quickly spread that the fitness trackers used by military personnel were exposing the classified routes between bases on the battlefield, making it easy to launch attacks. Much of the controversy was because the companies put the onus of privacy on the user, but many are not aware their information is searchable, let alone accessible by anybody.
Although the existence of many government installations are widely known, the identities of their employees were not.
But now, an investigation by Dutch news site De Correspondent[2] and Bellingcat[3] found that Polar Flow exposed their fitness tracking data. The company's developer API could be improperly queried to retrieve fitness activities, like each