Echelon Forum banner

1 - 3 of 3 Posts

·
Registered
Joined
·
69 Posts
Discussion Starter · #1 ·
Echelon said they fixed it but a security researcher found that to not be true...

"But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.

Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it."


Echelons response?

“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information],” said Chris Martin, Echelon’s chief information security officer, in an email.

Echelon did not name the outside security company but said while the company said it keeps detailed logs, it did not say if it had found any evidence of malicious exploitation.

But Munro disputed the company’s claim of when it fixed the vulnerabilities, and provided TechCrunch with evidence that one of the vulnerabilities was not fixed until at least mid-April, and another vulnerability could still be exploited as recently as of this week.

When asked for clarity, Echelon did not address the discrepancies. “[The security flaws] have been remediated,” Martin reiterated."


 

·
Registered
Joined
·
31 Posts

·
Registered
Joined
·
2 Posts
So where are these communications posted from Echelon CXO's. I have not received any communications nor if I search do I find this info out! Echelon is clearly going through some growing pains and they have a long road ahead of them to make the software more secure and improve how they update the apps. Their customer service also needs an upgrade.
 
1 - 3 of 3 Posts
Top