'Fitness company Polar was forced to suspend its activity map after it was used to unmask some 6,500 military and intelligence officers, including those at nuclear sites, in combat in Syria and stationed at the North Korean border.
The vulnerability that allowed virtually anyone to identify individuals working at top-secret locations, such as military bases overseas, by sifting through exercise regimens of people in that area, has been jointly reported by Bellingcat and the Netherlands’ De Correspondent.
The revelation was made possible thanks to the Finnish company's Polar Flow feature that shows workout activity of the users of its app down to the tiniest detail on a global searchable map. Polar, unlike some other apps, tracks and publishes exercise information in full, including routes, dates, time, duration and place of the exercise. By analyzing the start and end points of workouts, it is reportedly possible to locate the homes of users. From there, hundreds of servicemen were identified by searching social media for their full names, which they chose to provide publicly on the Polar app.
The task was relatively easy, as the app has tracked all activity since 2014 and has collected a vast pool of data for each of its users, the investigators say. As a result, some 6,500 unique users have been identified. Among them are US troops in Iraq, Syria, Guantanamo Bay, those deployed to the demilitarized zone separating the two Koreas, staffers at the FBI and NSA, military intelligence and cyber security specialists and many others stationed at bases in Africa, South Asia and the Middle East.
While the app has been most popular in the West, investigators claimed they managed to unearth the identities and home addresses of the Russian military in Crimea.
Making your data really private on Polar Flow used to require a number of non-obvious steps, which most users apparently either didn't know about or didn't bother with. Even if all hoops had been jumped, data like names, locations and photos remain publicly available, and it is still possible to retrieve a user's ID and establish that different exercise sessions belonged to the same user.'
Read more - Fitness tracker Polar gives away identities & locations of military, intelligence worldwide