The popular fitness app and activity tracker Polar Flow has been revealing the location of military and government personnel working at sensitive locations, according to new reports.
The report cites an investigation conducted by Dutch news site De Correspondent and Bellingcat, which discovered it was possible to find workout information recorded by Polar Flow and use it to potentially identify the names of employees working at military bases and government buildings.
The technique included accessing the developer API from Polar, the Finnish-based company that produces Polar Flow. Through the API, a person can not only explore public data that users willingly share, but could also retrieve fitness tracking information from users who have their profiles set to private.
Those few data points allowed the researchers to identify more than 6,400 users believed to be working at sensitive locations.
The API also didn’t put a limit on the number of requests a person could make, so it was feasibly possible that someone could scrape information from the millions of users who rely on Polar Flow to track their workouts.