In this photo illustration, the Strava logo is seen displayed on a smartphone.
Rafael Henrique/SOPA Images/LightRocket via Getty Images
An alleged Strava security breach allowed unidentified operatives to spy on Israeli military members, according to a watchdog group.
The operatives set up fake “segments” in top-secret military establishments across Israel, the group said.
The operatives could track a user moving across bases and to a foreign country with the segments.
An alleged security breach on Strava, the fitness-tracking app for runners and cyclists, allowed unidentified operatives to spy on members of Israel’s military, according to an Israeli watchdog group.
FakeReporter, which leverages crowdsourcing to report malicious activity, said in a press release that Strava’s security breach was used to identify Israeli security personnel in top-secret locations.
FakeReporter was alerted to the security breach and was consequently able to identify at least 100 individuals using Strava while exercising in at least six top-secret military facilities in Israel, the press release said.
The Guardian reported that one user who went for a run on a top-secret base, thought to have links to the clandestine Israeli nuclear program, could be tracked moving across other military bases and to a foreign country.
The unidentified operatives were able to mine information from Israeli military members even with the most robust possible account privacy settings, The Guardian said.
The operation, which has not yet been attributed to a specific actor or group, involved tracking information by creating fake running “segments” inside military bases, the newspaper reported.
Strava’s tracking tools allow anyone to create and compete in segments — short sections of a run or bike ride that can be used to race. Anyone can define a segment, despite not having been there, meaning that some segments are clearly artificially generated, The Guardian reported.
In this instance, the newspaper said that the operatives, posing as an anonymous Strava user in Boston, Massachusetts, set up a series of fake segments in military establishments to track the movements of those based there.
With this information, per the press release, they could locate the movements, family members, colleagues, and addresses of specific users associated with Israeli intelligence agencies and the air force.
AP Photo/Tsafrir Abayov
In a statement sent to Insider, the executive director of FakeReporter, Achiya Schatz, said that the watchdog group alerted Israeli security forces as soon as they became aware of the security breach.
“In the past, Strava’s privacy settings have been tied to incidents of exposure of sensitive information. In 2018, the newly introduced “Heatmap” feature was shown to reveal American military sites,” Schatz said.
Schatz continued, “Despite past revelations, it does not appear that Israeli security agencies have caught up. Although Strava made significant updates to its privacy settings, confused users might still be exposed publicly, even if their profiles were set to ‘private.'”
FakeReporter’s executive director added that this finding has chilling consequences. “By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike,” Schatz said.
Strava did not immediately respond to Insider’s request for comment.