Security Breach in Strava Exercise App Used to Spy on Israeli Officials, Reveals Army Bases

A security flaw in the app Strava reveals secret bases and the identities and movements of soldiers and defense officials, disinformation watchdog finds. The government has been informed, a fake user removed

Omer Benjakob
Omer Benjakob
Data in the fake account Ez Shl in the running, cycling and hiking app Strava.
Data in the fake account called Ez Shl in the running, cycling and hiking app Strava.Credit: FakeReporter
Omer Benjakob
Omer Benjakob

N., a senior Israeli defense official, tries to run 10 kilometers, about 6 miles, every morning. He takes this jog when he’s at home, at work at an army base – and even when abroad for a sensitive mission.

N. is one of roughly 100 Israeli army officers or defense officials whose personal details – including names, photos and movements – were made available to outsiders due to a loophole in a popular running, cycling and hiking app.

The exploit in the app Strava, which was revealed by the Israeli open source investigative group FakeReporter, also exposed the locations of a number of highly sensitive sites in Israel, including the precise location of army and air force bases, Mossad headquarters and Military Intelligence bases.

FakeReporter, a disinformation watchdog, uses volunteers and open source experts to crowdsource investigations. It also found that a fake user took advantage of the glitch to create a small database of military bases.

The fact that the users of the app, their bases and even personal details were exposed poses a serious security breach, experts say. It’s a prime example of OSINT, or intelligence based on open sources.

A route shown in the app.Credit: FakeReporter

Strava’s collection of geolocation data has raised privacy and even security concerns in the past, prompting the platform to allow users to conceal their location. The loophole, however, circumvents this new privacy setting by exploiting two features launched by Strava: Segment and Heatmap.

These functions let users see where other users have run in the past, or they can to try to beat other users’ times in certain geographic areas.

FakeReporter received a tip that these functions could easily be exploited. By creating a fake user and uploading bogus running data, the app would reveal the running times of other users who were also active in the area – even if they had marked their profile as private. Their identities and past running routes would be revealed.

In theory, if fake users know the location of an Israeli base, they could upload data purportedly showing that they also exercised in that area and thus find all other users who worked out at the site. The privacy loophole would also give the fake accounts access to these users’ past running routes, potentially revealing additional bases and the real users’ travel itineraries.

The efforts of the fake user found by FakeReporter raise serious concerns that the details of Israeli defense officials as well as the locations of their bases and past travel routes have been exposed.

A wider view of a map in Strava.Credit: FakeReporter

This fake user, called Ez Shl, uploaded fake running data to Strava to create “segments” from extremely sensitive Israeli sites and thus revealed the identities of people who had run in those areas. The data uploaded by the user is clearly fake as it shows him or her running long distances in “0 seconds.”

The locations of the sites were saved and marked; they included two air force bases, at least two Israeli Military Intelligence bases, and even Mossad headquarters.

Among the bases with details exposed were those of the Israel Air Force at Palmahim and Ramat David; among the Military Intelligence bases was Glilot and another near Jerusalem. Among the soldiers exposed were over 50 from Palmahim, including officers from an elite unit, and some who also ran routes near Dimona, the site of Israel’s nuclear reactor.

FakeReporter has informed both Strava and the Israeli authorities of the loophole. Strava said it removed the fake user.

In 2018, Haaretz’s Chaim Levinson revealed a serious breach concerning the senior commander at the VIP security unit of the Shin Bet security service. His personal details, whereabouts and even past and current travel routes were revealed after Strava was used on a smartwatch.

For its part, Strava said: “We take matters of privacy very seriously and have addressed the reported issues.” The Defense Ministry did not respond.

An Israeli Military spokesperson said in response that they are “aware of the potential threats that exist online,” adding that “in the wake of previous incidents like those mentioned [here] special procedures are put in place for those serving in sensitive positions.”

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN

ICYMI

Election ad featuring Yair Lapid in Rahat, the largest Arab city in Israel's Negev region.

This Bedouin City Could Decide Who Is Israel's Next Prime Minister

Dr. Claris Harbon in the neighborhood where she grew up in Ashdod.

A Women's Rights Lawyer Felt She Didn't Belong in Israel. So She Moved to Morocco

Mohammed 'Moha' Alshawamreh.

'It Was Real Shock to Move From a Little Muslim Village, to a Big Open World'

From the cover of 'Shmutz.'

'There Are Similarities Between the Hasidic Community and Pornography’

A scene from Netflix's "RRR."

‘RRR’: If Cocaine Were a Movie, It Would Look Like This

Prime Minister Yair Lapid.

Yair Lapid's Journey: From Late-night Host to Israel's Prime Minister