folder Filed in Discussions, General, PoC Gallery, Write Ups
Fitbit – APIs and Access Control Failures, a simple API bug allowed to harvest millions of user private activities!
Mohamed A. Baset comment 0 Comments access_time 2 min read

 In this write-up we will show you how Seekurity team was able to harvest all the user’s private/custom activities leaves more than 20 million private custom activities data in danger.

First of all, this write-up is not a new one and the discovery itself is dated back to 2017 but we decided to disclose it right now after we gave Fitbit the reasonable amount of time to patch the vulnerability and to protect the health data about the users!


Fitbit website gives the users the ability to create/log a custom activities (eg Boxing, Biking, Swimming etc..)

During our tests we noticed this weird GET request which retrieving data in JSON format:

Seems weird!

ActivityID is the vulnerable parameter, While conducting our  tests to see if we can get a different response based on a user-supplied-input randomly, we passed some values to the parameter then we noticed that we’re getting a response regardless the access level of the activity (Public or Private).


-Public Activity (accessLevel: PUBLIC)

-Private Activity (accessLevel: PRIVATE)

The Fix

The issue has been already fixed and we receive a 403 error message due to properly taking care of the API Access control Level.

Proof of Concept Video

Why this issue happened?

APIs are the first target for attackers/bug hunter and surprisingly marketers specially when it comes to data gathering on a large scale, crawlers and other data harvesting tools are functioning like a charm if you somehow forgot to secure your API endpoints.

The common vulnerabilities that can hit an API and cause a lot of headache are: Data Harvesting, No rate-limitation, SQL Injections, Cross-Site Scripting, IDOR, Information Disclosure, Missing Function Level Access Control, etc…

A minute if you please!

Building a website, API, an application or dealing with any kind of sensitive information? Anything related to the security and Safety of your business? Or already launched one without considering security? Worried about your personal security? Think twice before going public and let us protect your business!

Access Control activities API APIs Bug expose Failures Fitbit harvest leak millions private simple

Leave a Reply

Your email address will not be published. Required fields are marked *

Cancel Post Comment

Translate this blog