N., a senior Israeli defense official, tries to run 10 kilometers, about 6 miles, every morning. He takes this jog when he’s at home, at work at an army base – and even when abroad for a sensitive mission.
N. is one of roughly 100 Israeli army officers or defense officials whose personal details – including names, photos and movements – were made available to outsiders due to a loophole in a popular running, cycling and hiking app.
The exploit in the app Strava, which was revealed by the Israeli open source investigative group FakeReporter, also exposed the locations of a number of highly sensitive sites in Israel, including the precise location of army and air force bases, Mossad headquarters and Military Intelligence bases.
FakeReporter, a disinformation watchdog, uses volunteers and open source experts to crowdsource investigations. It also found that a fake user took advantage of the glitch to create a small database of military bases.
The fact that the users of the app, their bases and even personal details were exposed poses a serious security breach, experts say. It’s a prime example of OSINT, or intelligence based on open sources.
Strava’s collection of geolocation data has raised privacy and even security concerns in the past, prompting the platform to allow users to conceal their location. The loophole, however, circumvents this new privacy setting by exploiting two features launched by Strava: Segment and Heatmap.
These functions let users see where other users have run in the past, or they can to try to beat other users’ times in certain geographic areas.
- 'Make Drones, Not Porn': Top Israeli Defense Firm Blasts Country's Tech Industry
- Exposed Hamas Espionage Campaign Shows 'New Levels of Sophistication'
- White House 'deeply concerned' over any deal for infamous Israeli spyware maker NSO
FakeReporter received a tip that these functions could easily be exploited. By creating a fake user and uploading bogus running data, the app would reveal the running times of other users who were also active in the area – even if they had marked their profile as private. Their identities and past running routes would be revealed.
In theory, if fake users know the location of an Israeli base, they could upload data purportedly showing that they also exercised in that area and thus find all other users who worked out at the site. The privacy loophole would also give the fake accounts access to these users’ past running routes, potentially revealing additional bases and the real users’ travel itineraries.
The efforts of the fake user found by FakeReporter raise serious concerns that the details of Israeli defense officials as well as the locations of their bases and past travel routes have been exposed.
This fake user, called Ez Shl, uploaded fake running data to Strava to create “segments” from extremely sensitive Israeli sites and thus revealed the identities of people who had run in those areas. The data uploaded by the user is clearly fake as it shows him or her running long distances in “0 seconds.”
The locations of the sites were saved and marked; they included two air force bases, at least two Israeli Military Intelligence bases, and even Mossad headquarters.
Among the bases with details exposed were those of the Israel Air Force at Palmahim and Ramat David; among the Military Intelligence bases was Glilot and another near Jerusalem. Among the soldiers exposed were over 50 from Palmahim, including officers from an elite unit, and some who also ran routes near Dimona, the site of Israel’s nuclear reactor.
FakeReporter has informed both Strava and the Israeli authorities of the loophole. Strava said it removed the fake user.
In 2018, Haaretz’s Chaim Levinson revealed a serious breach concerning the senior commander at the VIP security unit of the Shin Bet security service. His personal details, whereabouts and even past and current travel routes were revealed after Strava was used on a smartwatch.
For its part, Strava said: “We take matters of privacy very seriously and have addressed the reported issues.” The Defense Ministry did not respond.
An Israeli Military spokesperson said in response that they are “aware of the potential threats that exist online,” adding that “in the wake of previous incidents like those mentioned [here] special procedures are put in place for those serving in sensitive positions.”