Strava fitness app used to spy on Israeli military officials
The flaw has also exposed the locations of a number of sensitive sites in the country.
Unidentified operatives have been exploiting a security weakness in the popular fitness tracking app Strava to track the movements of Israeli defence personnel, according to Israeli open source investigative group FakeReporter.
The flaw has also made public the precise locations of a number of extremely sensitive sites in the country, including Army and Air Force outposts, Mossad headquarters as well as bases belonging to Military Intelligence.
Strava's gathering of geolocation data has generated privacy and security concerns in the past, which eventually led to the app allowing users to hide their location.
However, the latest security weakness circumvents the new privacy setting by exploiting two of the app's new features: Segment and Heatmap.
Strava users can use these features to check where others have run before or to attempt to beat other users' times in certain geographic locations.
Any user can create a map-based physical challenge using the Segment tool and generate a publicly visible scoreboard that is accessible to all Strava users.
Users can define a segment after uploading it through the Strava app. They can also submit GPS recordings from other products or services.
However, Strava has no means of knowing if those GPS uploads are genuine, and anyone can create a section by uploading data - even if they haven't gone to the location they're tracking. Thus, these features can be readily abused.
If someone created a fake user and uploaded phoney running data, the app shows the running times of other users who were also active in the vicinity - even if other users had set their profile to private.
Their true identities, as well as their previous running routes, would also be disclosed.
In theory, if fraudulent users are aware of the location of an Israeli base, they might submit data claiming they had exercised there as well, allowing them to track down any other users who worked out there.
The Guardian saw an example in which a user on a top-secret site - believed to have connections to the Israeli nuclear programme - could be followed through other military locations and all the way to a foreign country.
"We contacted the Israeli security forces as soon as we became aware of this security breach," Achiya Schatz, the executive director of FakeReporter, said.
"After receiving approval from the security forces to proceed, FakeReporter contacted Strava, and they formed a senior team to address the issue."
The researchers discovered that someone is already aware of and exploiting the vulnerability. They found that an anonymous person had set up a series of fake segments throughout a number of military sites in Israel. The user, whose location was provided as Boston, Massachusetts, has never visited Israel or participated in any of the events.
Using the names found in the fake Segments, FakeReporter was able to locate more personal information about the Israeli troops, including family members, home addresses, co-workers and travel histories. FakeReporter was able to identify at least 100 different Israelis.
Strava deleted the fake Segments in Israel after FakeReporter alerted the firm.
"We take matters of privacy very seriously and have been made aware by an Israeli group, FakeReporter, of a segment issue regarding a specific user account and have taken the necessary steps to remedy this situation," Strava said in a statement to The Guardian.
However, the core mechanism that enabled the breach remains unchanged, according to Haaretz.
"Any country in the world is vulnerable to this manipulation," Schwatz told the Israeli publication.