Runtastic cannot into privacy


  • Dupa

    So, I'm using an app called Runtastic to track my training. It's quite nice, there's a quite large ecosystem built around it along with an online portal, where you can (should you pay for a year-long premium membership) track and compare your stats and records.

    Now, recently I tried to access my profile but I wasn't logged in. What a surprise it was for me to see all my private data right there on display! So I dug into the settings and sure enough there was a set of options to disable it. Of course set to "enable" by default. I switched it to "friends", thought it would be handy should I finally have some:

    Then I went to see my profile while logged out and sure enough my training data was hidden but my name was still there. OK, I can live with that, although it is a huge WTF: not only the fact that my personal information is available by default to everybody but also that I can't hide all of it. But fuck it.

    And then it got me thinking. You see, Runtastic URLs are formed this way: runtastic.com/{lang}/users/{user-id}/statistics. Hey, the IDs are probably sequential, right? Why wouldn't they be?

    And sure enough, they are:

    The URL: https://www.runtastic.com/en/users/4431512/statistics/

    I mean, WTF?! I can see other people's data BY DEFAULT?! Fuck you!

    ETA

    As it turns out, when clicking on any of the links, the id is turned into a slug. So what? You still can browse other users by increasing/decreasing the ids.


  • Winner of the 2016 Presidential Election Banned

    Including maps! Amazing.



  • @Fox said:

    Including maps

    Perfect for setting up ambushes. Excellent. :mr_burns:


  • kills Dumbledore

    If there are times of each run as well as maps, you can get a good idea of where someone lives and when they're likely to be out, as well as how long for. That's pretty dangerous information


  • Dupa

    @Fox said:

    Including maps!

    Well, I'm not sure it's that bad. At least I can't see maps of the guy I linked to, I get info that maps are only available to friends. And I'm not his friend. I still know a lot about his habits, tho.



  • Like I said: perfect. Muahahahaaa...



  • I guess it was developed by CS graduates with very vague idea how the real world works.


  • Dupa

    @wft said:

    I guess it was developed by CS graduates with very vague idea how the real world works.

    Yeah, I thought that too. But then I thought: come on, Runtastic is a one of the top players in the industry, IIRC they have recently been purchased by Adidas -- they are a huge organization with vast resources and their business model is centered around IT and... Fuck, it must have been developed by CS graduates with very vague idea how the real world works.



  • @wft said:

    I guess it was developed by CS graduates with very vague idea how the real world works.

    You mean to say that CS graduates do not yet possess object permanence?.



  • Yeah, they didn't want any of their users to disappear once they stopped using the app!


  • area_deu

    @RandomStranger said:

    Excellent. :mr_burns:

    You rang?



  • @ChrisH said:

    @RandomStranger said:
    Excellent. :mr_burns:

    You rang?

    You're an emoji?


    F(a)iled under: I love how nested quotes break the quote boxes, DISCOURSE!!!


  • Sadly, in the US just by changing the id in the url you are already guilty of "hacking" the site. Personally, I wouldn't post such information unless being very sure of your anonymity.

    For some examples of past cases, see:


  • Trolleybus Mechanic

    If you're using a training app, you shouldn't be worrying about privacy anyways. All that data's already been collected and sold multiple times over. It's been whored out to every ad network and snake-oil phisher who would drop a nickle for their turn at the data.


  • Dupa

    @quijibo said:

    Sadly, in the US just by changing the id in the url you are already guilty of "hacking" the site. Personally, I wouldn't post such information unless being very sure of your anony

    Yeah, I was waiting for a killjoy like you to compliment my outstanding hacker skills. 😆

    But I'll blur out the name when I have a moment.


  • Dupa

    @Lorne_Kates said:

    If you're using a training app, you shouldn't be worrying about privacy anyways

    Shhh… don't tell anyone but I have a very special system set up that I've taken great pains to design: at the start of each month I generate a set of misinformation data pertinent for each day of the month using my custom-built software. This data is very simple: it consists of the amount of time, calories burnt and distance (if pertinent) that I should add or subtract from the total activity time. Then when I perform the activities and I am good to go. All I need is to remove the training session from the app because it's unreliable as it is (it's just a timer) and add it anew, apart from GPS-tracked running and biking, which contains location data. So when I want to distort the distance-based activities I simply attach the phone to my dog or have a previously arranged metting with a friend who's going biking that day and I give my phone to him. This way I can be sure that only distorted data goes to their servers.

    When I get home, all I need to do is to transfer the data from my phone to my computer with all this misinformation corrected. I don't trust other programs, so I use plaintext files encrypted with PGP stored on my safely encrypted partition with self-destruction mechanism in place in case of unauthorized access. The note with distraction data I burn every first night of the month in a fire, along with other sensitive data about myself like store/restaurant receipts, train tickets and such.

    I only use Emacs to enter the data because I don't trust non-free software. I have it installed on my Slackware box exactly for this purpose. Then I never access the data unless it's very late and it's dark outside and I have blocked the view from all my windows.

    I know your pain. I too am running from the evil big data. And I won't give up easily.


    Sent from my iPhone.



  • I read a funny dystopian short-story once where the protagonist Bob is responsible for planning torture sessions. Bob relies on activity data sourced from bespoke sites to estimate the duration of waterboarding sessions their candidates would survive. Of course accidents happen and sometimes candidates die because the estimates were off.

    So Bob's reflecting on this last case, a middle-aged guy they brought in that had pretty high ratings on one tracking site. The guy didn't look too much like a runner but according to the data he could run a marathon easily. So Bob browses the data in detail again and notices that the running patterns are very regular. Too regular. The tracker must have been attached to a spinning rotor for hours.

    Well what do you know when your insurance policy is tied to your activity and your running performance is tracked on your dating portal, some engineers get inventive. The guy was dead. Killed by the enhanced interrogation techniques that didn't account for falsified data. Just another example where the estimates were off.

    Let his tale be a warning to you.


  • Trolleybus Mechanic

    @kt_ said:

    Sent from my iPhone.

    ❤


  • Dupa

    @Lorne_Kates said:

    ❤

    I live to serve. 💔


Log in to reply