Strava users utilises the app segment functionality to spy on the Israeli military

·2-min read
Photo credit: SOPA Images - Getty Images
Photo credit: SOPA Images - Getty Images

Anyone who uses Strava to track their runs will know all about the segment feature on the fitness app. This is where short sections of a trail can be highlighted as a 'segment', and the time it took you to run it is then ranked against all other runners who have run it, thereby creating what Strava likes to call ‘friendly competition’.

However, The Guardian reports that an unidentified user has utilised this feature for other purposes: namely to identify members of the Israeli military in top-secret locations and military bases.

They did this by creating fake segments inside military compounds. This meant they could then observe and record the identities of those who logged times on these segments, even when users had locked down their security settings.

The security breach was discovered by Israeli open-source cybersecurity company, FakeReporter. ‘We contacted the Israeli security forces as soon as we became aware of this security breach,’ said executive director, Achiya Schatz. ‘After receiving approval from the security forces to proceed, FakeReporter contacted Strava, and they formed a senior team to address the issue.’

The team discovered that a Strava user based in Boston, Massachusetts had created a range of fake segments within eight military bases across Israel. Some were even discovered within locations associated with its highly secure nuclear programme.

‘By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike,’ said Schatz.

The flaw in security meant the segments listed a number of people who are highly likely to be in the military. These users can then easily be tracked via their other runs on Strava, their locations can be followed and photographs can be accessed.

Strava released a statement in response to the findings, saying, ‘We take matters of privacy very seriously and have been made aware by an Israeli group, FakeReporter, of a segment issue regarding a specific user account and have taken the necessary steps to remedy this situation.’ They have also removed the user who created the fake segments.

The company has encountered problems with privacy in the past, in particular when it released heatmap data in 2018 that showed the location of classified US Army bases in Syria and Afghanistan. At that point, it said it would review its privacy features to ensure it ‘cannot be compromised by people with bad intent’ and introduced measures to allow users to tighten their privacy settings. As a result, the US Army also re-evaluated its security procedures.

You Might Also Like

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting