Strava app flaw revealed runs of Israeli officials at secret baseson June 21, 2022 at 3:42 pm

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

A vulnerability in the fitness app allowed Israeli officials’ movements to be tracked, a group says.

A screenshot posted by FakeReporter showing past runs by an unidentified user at an Israeli military intelligence facility in Moshav Ora, IsraelImage source, FakeReporter

A security vulnerability in the fitness app Strava allowed suspicious figures to identify and track security personnel working at secretive bases in Israel, a disinformation watchdog says.

FakeReporter found that by uploading fake running “segments” a user could learn the identities and past routes of others active in the area, even if they had the strongest privacy settings.

Information about 100 individuals who exercised at six bases was viewable.

Strava said it had addressed the issue.

Israeli officials have so far not commented on the report.

But this is not the first time that Strava’s tracking features have sparked such security concerns.

In 2018, the company published a “heatmap” that also revealed the exercise routes of people at military bases around the world, including US facilities in Syria.

San Francisco-based Strava is used by more than 95 million people in 195 countries.

Its app takes data, including GPS co-ordinates, from a person’s mobile phone or wearable fitness device to track their exercise activity.

People are able to upload their running and cycling times and compare their performances with others who followed the same routes.

FakeReporter, an Israeli group that combats malicious online activity, reported that a suspicious user named “Ez Shehl” had exploited these functions to upload fake GPS data to create route segments inside secret facilities associated with Israel’s military, the Mossad intelligence agency and the Shin Bet internal security service.

The segments featured straight GPS lines, no times, and unrealistic pacing, such as covering 500m in 0 seconds.

A screenshot posted by FakeReporter showing a Strava "segment" at the Mossad intelligence agency's headquarters in Tel Aviv, Israel

Image source, FakeReporter

The timings and personal details – including photos, home addresses and the identities of family members – of other users who ran the same segments were subsequently revealed on the Strava scoreboard, even if they had their accounts set to “private”.

A senior defence official identified as “N” was one of at least 100 Israeli individuals affected by the vulnerability, according to FakeReporter. It posted screenshots showing runs from their home and inside various air force bases in Israel, as well as runs in Ukraine.

FakeReporter said it had told Israeli authorities about the security breach as soon as it became aware and that it had contacted Strava after receiving their approval.

“Despite past revelations, it does not appear that Israeli security agencies have caught up,” Achiya Schatz, the watchdog’s director, said in a statement. “Although Strava made significant updates to its privacy settings, confused users might still be exposed publicly, even if their profiles were set to ‘private’.”

“By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike.”

Strava told Israel’s Haaretz newspaper: “We take matters of privacy very seriously and have addressed the reported issues.”

- Advertisement -

Discover

Sponsor

Latest

Fishmongers’ Hall: Steven Gallant to be freed from prisonon July 6, 2021 at 7:10 pm

Convicted murderer Steven Gallant was on day release when he helped stop a knifeman's rampage.image copyrightMet PoliceA convicted murderer who tackled the Fishmongers' Hall...

Ukraine conflict: Russia’s Kharkiv attacks are war crimes, says Zelenskyon March 2, 2022 at 4:56 am

The Ukrainian president asks the EU to prove it is with his country, while accusing Russia of terrorism.This video can not be playedTo play...

Kill the Bill Bristol protests: Police action at demoon March 24, 2021 at 3:29 am

Police officers arrest demonstrators protesting in the city centre at the new police bill.Fourteen people have been arrested at a second night of protests...

Covid: NHS bosses call for free tests and isolation to remainon February 18, 2022 at 1:31 am

Senior NHS staff say they disagree with the prime minister's planned changes to English Covid rules.Image source, ANDY RAINA group that represents NHS bosses...

Royal Mail wants fleet of 500 drones to carry mail to remote UK communitieson May 11, 2022 at 11:31 pm

Fifty drone routes could bring mail to remote communities such as the Hebrides and Isles of Scilly.Image source, Royal MailThe Royal Mail wants a...