Security flaws in Strava, a social fitness app, reveal the identities of Israeli soldiers at military bases


S.Many years ago, Strava, a data-hungry, fitness-cum-social network app, released a heatmap showing every activity logged over 3 trillion data points. Neat, isn’t it? It was. Problematic, too. Visualization Appears to give away Locations of secret US military bases and spy outposts in places like Afghanistan and Syria.

Company Catch a lot of flakes In response to the hitmap, and in response, San Francisco-headquartered Strova released a blog post urging users to review their privacy settings, saying it would “review features that were originally designed to inspire and motivate athletes so that bad guys The intention is to make sure it doesn’t happen. ” It did not elaborate on which features it reviewed or whether the review encouraged any specific changes. In other words: Everything is fineStrava seems promising.

Ah well. FakeReporter, a new report from a group of Israeli cybersecurity researchers, shows how another feature of Strava was used by a malicious party – researchers are not sure who – will gather information about Israeli troops at six bases across the country. Even users who were limited to viewing their Strova profiles have had their names revealed by the Group-Challenge feature, Segments.

Achia Shatz, executive director of FakryReporter, said: “We were able to use this breach to find out more about the fake user base and the many members and agents of Israel’s top security forces there.

FakeReporter found the only such incident, but researchers believe it is commendable সম্ভবত perhaps even কেউ that someone used the same technique to gather user information outside of what happened in Israel. FakeReporter’s findings show how difficult it can be for even honest-to-goodness users to protect their identities, now that location-tracking is almost a default problem in mobile apps. Like many other companies, Strava prefers to abandon the responsibility of protecting users’ personal information: offering options to secure an account but making the process uninviting. Strava is probably reluctant to set up high security settings because these features could make its technology less enjoyable and less shareable. Which would mean, in the end, fewer users.

Here’s what the FakeReporter crew found. A tip sent through the researchers’ website called for them to examine several uses of the Strawer segment feature in Israel. The Segment tool allows any user to set up a map-based physical challenge যেমন for example, say, five-mile run around a lake এবং and to set up a publicly viewable leaderboard available to all Strava users. (The basic version of the app is free. A $ 59.99 annual subscription gives you access to additional, premium features.) When FakeReport staff looked at the segment, it was immediately clear to researchers that the anonymous user who created them had never been to Israel or performed any of these activities.

How clear? For starters, the logged-in user runs in a simple, geometrically perfect line. No one really runs like that. In addition, the user did things like completing about three-quarters of a mile in zero seconds. At an Israeli Air Force base, the user ran 2.5 miles in 4 minutes. The world record for one mile is 3 minutes 43 seconds. So either the anonymous Strava user completely broke the mark established by Moroccan runner Hitacham El Guerrero in 1999 or none of it was real.

Rather, the segments appear to be an attempt to obtain an ever-updated list of Israeli soldiers and military personnel for anonymous users who can log in to Strava and use the segments for their workouts. That’s exactly what happened. These categories have finally collected dozens of users. Even Strava users who were limited to viewing their public profiles had their names listed on the segment’s leaderboards. To prevent this, they need to bend over with their account settings, change the “Activities” function to stop sharing personal information in the segment. (The default alternative to Strava is, of course, a full public account. The more you broadcast about yourself, the more you interact, the more you use Strava – probably the more likely you are to pay for Strava’s annual subscription.)

So the heatmap? Yes, it was bad. But segments create even greater security risks. The map shows, in general, where the military may be. The departments compile a specific list of military personnel.

With names from the bogus segment, FakeReporter can quickly find more personal details about Israeli soldiers, including family members, home addresses, colleagues and travel history. In all, the FakerReporter has identified at least 100 Israelis through the segment.

It would be unfair to set it up All Strava is responsible for security flaws. Some of this is inherently with the people in the app, especially, say, highly trained and educated Mossad officers who, in theory, should know better. “What we’re talking about is a combination of both stupid Israeli agents and not the most intuitive security practices and privacy settings,” Schatz said.

The company fired them two months ago after the reporter informed Strava about the counterfeit segment in Israel. But it did not change the basic mechanics that made the breach possible: the ability to upload a segment anywhere, even if someone is not physically present. “Any country in the world is at risk for this manipulation,” Schwartz said.

Source link