Joining VeloClub not only supports the work we do, there are some fantastic benefits:
by Iain Treloar
April 24, 2020
As growing numbers of athletes look to the virtual world for their exercise needs, the platforms that are their playgrounds are put under increasing amounts of pressure to respond to the uptick. And in the surge, it seems like some basics can get missed.
At least, that’s the allegation levelled at the French exercise app, Kinomap, which has been accused by VPN review website vpnMentor of having accidentally left 42 million records open to attack from hackers.
The vulnerability, discovered by vpnMentor’s research team as part of a web-mapping project, involved an unsecured and unencrypted database including personal information of some KinoMap users – full names, home country, email addresses, gender, usernames, timestamps and more.
In total, vpnMentor says that 40GB of data was left vulnerable to criminal hackers.
That doesn’t sound great, but there may be more to it than meets the eye. As we start unpacking it, let’s step back a few steps and break down who the key players are.
Kinomap was founded in France in 2002, and is a paid indoor-training subscription operating across a number of sports. It pairs videos with interactive workouts – similar to the likes of Zwift and FulGaz, among others – and uses real-world footage submitted by Kinomap users and professional trainers. The company’s involvement in cycling also includes a partnership with the Hammer Series.
vpnMentor is the “world’s largest VPN review website” and was founded by a former Google marketing manager. Within the organisation sits a team of “ethical hackers” that “strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.” vpnMentor contacted this reporter directly to expose what they described as a “massive data leak”; we have not had correspondence previously.
vpnMentor says that in line with its code of ethics, it has a responsibility to inform the public of data breaches, although the aggression with which they’re pursuing Kinomap feels more than a little icky, seeing as it’s a tool to indirectly drum up business.
The allegation, which is detailed in a vpnMentor report, is that millions of “records” were left unsecured and open to attack from malicious hackers. The volume of personal data, according to vpnMentor, included access keys to Kinomap’s API, and exposed users to the risk of fraud attacks and phishing campaigns. The breach was, according to vpnMentor, not just a risk for Kinomap’s users but to the company as well.
The breach was discovered by vpnMentor on March 16, and after further investigation, Kinomap was contacted on March 18. vpnMentor says that it is yet to receive a response from Kinomap, despite a follow-up later that month. In the absence of any assurance from Kinomap, vpnMentor’s findings were relayed to the French independent data privacy regulator, CNIL, and the breach was reportedly closed around April 12.
CyclingTips contacted Kinomap for comment, and Kinomap CEO Laurent Desmons confirmed that they had been “contacted by the CNIL about our elastic indexes and the situation has been cleared with them since then.”
“We’ve taken the situation seriously and we asked for a third-party security audit just to make sure and we will communicate once we get the conclusion,” Desmons wrote.
Further emails from Kinomap President, Philippe Moitie, underlined Kinomap’s sensitivity to stringent European GDPR requirements, and confirmed that no payment data had been compromised. He also pointed out that most of the information that vpnMentor had identified as being subject to a security breach was, in fact, already shared publicly by Kinomaps users on an opt-in basis.
Neither Moitie or Desmons dispute that the “potential vulnerability” existed, although Moitie stressed that in his opinion, “it was not a security breach”.
vpnMentor’s report on Kinomap, with its bombastic allegations, appears to have been distributed to a number of infosecurity and hacking-focused outlets, none of which appear to have contacted Kinomap for their take on it. We did, but that didn’t particularly clear things up – something still feels a bit off.
Kinomap seem like decent people that made a mistake, have fixed the problem, and are taking measures to ensure it doesn’t happen again. vpnMentor seem like they’ve been digging around for dirt, have legitimately found something, and are now pursuing it relentlessly. Both have financial interests in pushing their side of the story. And stuck in the middle are users of the app, who can only hope that the vulnerability wasn’t exploited by any nefarious third parties in the meantime.