Strava expose private data to nearby users, check your privacy settings

[German]Incorrect settings can cause the popular Strava running and cycling app (and service) to make the user's information available to third parties nearby. For privacy reasons you should take a closer look at this and check your settings.


A strange experience with Strava

Andrew Seward, Experian's Head of Product Development, has been posting the whole thing on Twitter these days and Bleeping Computer has picked it up. 

Out running this morning on a new route and a lady runs past me. Despite only passing, when I get home @Strava automatically tags her in my run. If I click on her face it shows her full name, picture and a map of her running route (which effectively shows where she lives)

Strava data leak
(Strava data leak)

During a morning run, he had his data recorded using the Strava app. During the run he noticed a woman running past him. When he arrived at home and analyzed the data of the Strava app, he was astonished. The Strava app had apparently recorded data about the woman, and when he selected the jogger's face in Strava, her full name, picture and a map of her run (which effectively shows where she lives) were displayed.

Andrew Seward was surprised because he had not followed the lady for a long time and she had not made her data public on Strava. This prompted him to post the whole thing on Twitter. Because such a ffeature, which a Strava user doesn't know about, invites abuse (like stalking).

Confusing default privacy settings to blame

After his tweet, another pointed out that a separate privacy setting with somewhat odd wording was responsible for this. Here is the text of his tweet.


UPDATE: @ntzm_ points out this is a separate privacy setting from when you change who can see your activities – all settings default to 'Everyone' but this feature will only be disabled if you turn off 'Flyby'

Strava privacy settings
(Click to zoom)

In the settings, the privacy preferences for all options are set to 'Everyone', i.e. third parties can view activities. In order to prevent Strava data from being copied into the profiles of third parties as they pass by, the Flyby option, which shares activities with everyone nearby, must be disabled (see also the explanation on Bleeping Computer).

These are probably extremely clumsy settings that Strava prescribes, coupled with confusing explanations of the options that lead to this problem. Only when the Flyby option is deactivated can the sharing of activities with others in the vicinity be prevented. The case shows once again that you should not actually use all this stuff without a prior safety analysis.

Additional note: The whole thing doesn't seem to be really new, by the way. Already in June 2020 How-To Geek had published the article How to Stop Strava From Making Your Home Address Public, which addressed exactly this issue. But probably nobody was interested at that time.

In the meantime Strava has learned from the incident and sends his users a link with the information how to change the attitude. This is not the first case, by the way, where risks became obvious when using Strava. In 2018 there was a case, where the shared tracks of US military personnel could be viewed on the Strava site.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *