Echelon exposed riders’ account data, thanks to a leaky API

Image Credits: Echelon (stock image)

Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers, and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.

But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday, and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.

Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it.

Echelon’s API allows its members’ devices and apps to talk with Echelon’s servers over the internet. The API was supposed to check if the member’s device was authorized to pull user data by checking for an authorization token. But Masters said the token wasn’t needed to request data.

Masters also found another bug that allowed members to pull data on any other member because of weak access controls on the API. Masters said this bug made it easy to enumerate user account IDs and scrape account data from Echelon’s servers. Facebook, LinkedIn, Peloton and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms.

Ken Munro, founder of Pen Test Partners, disclosed the vulnerabilities to Echelon on January 20 in a Twitter direct message, since the company doesn’t have a public-facing vulnerability disclosure process (which it says is now “under review”). But the researchers did not hear back during the 90 days after the report was submitted, the standard amount of time security researchers give companies to fix flaws before their details are made public.

TechCrunch asked Echelon for comment, and was told that the security flaws identified by Masters — which he wrote up in a blog post — were fixed in January.

“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information,” said Chris Martin, Echelon’s chief information security officer, in an email.

Echelon did not name the outside security company but said while the company said it keeps detailed logs, it did not say if it had found any evidence of malicious exploitation.

But Munro disputed the company’s claim of when it fixed the vulnerabilities, and provided TechCrunch with evidence that one of the vulnerabilities was not fixed until at least mid-April, and another vulnerability could still be exploited as recently as this week.

When asked for clarity, Echelon did not address the discrepancies. “[The security flaws] have been remediated,” Martin reiterated.

Echelon also confirmed it fixed a bug that allowed users under the age of 13 to sign up. Many companies block access to children under the age of 13 to avoid complying with the Children’s Online Privacy Protection Act, or COPPA, a U.S. law that puts strict rules on what data companies can collect on children. TechCrunch was able to create an Echelon account this week with an age less than 13, despite the page saying: “Minimum age of use is 13 years old.”

Running apps still lag behind on privacy and security

Read more:

Technology Videos


For copyright matters please contact us at:

Mind Warehouse ►

1. inCharge X

2. Walther PPK Miniature Model (Preview)

3. Lochett

4. Maco Wing


6. M-30+

7. UnSmudge

8. Melo

9. ShieldX


00:00 – INCHARGE X
02:23 – LOCHETT
03:13 – MACO WING
04:22 – PIQO
05:32 – M-30+
06:33 – UNSMUDGE
07:20 – MELO
08:20 – SHIELDX
09:00 – HYDAWAY

Read more:


DockerCon 2021: Updates to the collaborative app dev platform and trusted content announced

Docker announced new improvements to increase velocity, improve workflows, and provide trusted-content offerings to software developers at its DockerCon 2021 annual conference this week. 

The Docker Collaborative Application Development Program now features three key improvements: Docker Development Environments, a new version of Docker Compose and Scoped Personal Access Tokens. 

“Today’s developers face a variety of languages, frameworks and architectures, as well as discontinuous interfaces between tools for each pipeline stage, resulting in application development that is enormously complex to get from source code to cloud runtime,” said Donnie Berkholz, vice president of products at Docker. “Today’s announcements empower developers to ship faster by bringing their ideas to reality with Docker.” 

RELATED CONTENT: WFH reveals an ‘I’ in team

Docker Development Environments is a new collaborative team development experience that will be available next month. Version 2 of Docker Compose incorporates the Docker Compose command into the Docker CLI and includes improved support for GPU, deep learning and multi-environment configurations. Scoped Personal Access Tokens have been improved with support for fine-grained permissionings, which will be released later this summer. The new tokens define access to read only, read and write, and read public repos only.

Also announced at the conference is an expansion of Docker’s trusted content offering. The company launched the Docker Verified Publisher program to provide access to trusted content that developers can use as the building blocks for their applications. Datadog, Red Hat and VMware have joined the program. 

In addition, Docker revealed Docker Official Images into public and private AWS registries and Mirantis. 

“We are thrilled to announce the Docker Verified Publisher program’s availability to even more publishers and the distribution of Docker Official Images to even more developers through even more registries,” said Scott Johnston, CEO of Docker. “This greatly expands choice for developers to complement Docker Official Images and solidifies the Docker platform and Docker Hub as the de facto standard for trusted, secure container images.”  

The post DockerCon 2021: Updates to the collaborative app dev platform and trusted content announced appeared first on SD Times.

Read more:


SD Times Open-Source Project of the Week: Ugly Duckling

The SaaS security company Detectify last week announced the general availability of its standalone application security tool: Ugly Duckling.

The tool is designed to make easier for ethical hackers to share their latest findings on vulnerabilities and then integrate them into automated security tests on Detectify’s platform. It provides the tools to create more test modules independently. 

RELATED  TOPICS: The modern risks of open-source code

When ethical hackers find vulnerabilities, they can then write a module as a JSON file and test it out in Ugly Duckling to validate that it works. Detectify can then implement the JSON file on their platform and scale the findings out to thousands of application owners and teams within five to ten minutes after an issue was submitted. 

“It’s a win-win: security and engineering teams can stay up to speed with the latest exploitable vulnerabilities found in the wild, while the ethical hackers can get paid faster,” Detectify wrote in an announcement.

Ugly Duckling uses a custom JSON-based template format to describe the vulnerabilities and it can detect stateless vulnerabilities, ones that can be identified with a single HTTP request. 

“Vulnerability research is often a time game. With Ugly Duckling, we can get quality-checked research from our hackers sooner, allowing for more vulnerabilities to be released as tests before the vendor has patched them. This means better protection for customers and higher payments for the hackers,” said Tom Hudson, the security research tech lead at Detectify.

“To build safer web apps, security needs to be a collaborative effort, and knowledge about it needs to be accessible. The stand-out feature with Ugly Duckling is that the code is simple and MIT licensed, so you can use it as a jumping-off point to build your own custom scanner,” he added.

The post SD Times Open-Source Project of the Week: Ugly Duckling appeared first on SD Times.

Read more:


PayPal acquires returns logistics business, Happy Returns

PayPal announced today it’s acquiring Happy Returns, a returns solution provider that offers online shoppers access to easier ways to send back unwanted merchandise to retailers without having to box it up and ship it themselves. The company today offers a network of more than 2,600 drop-off returns locations in the U.S., including those in over 1,200 metros and in every U.S. state.

It also has relationships with hundreds of brands that have been using its returns software and reverse logistics services. The company says it will continue to offer its returns experience to online retailers and shoppers as a part of PayPal.

Founded in 2015, Santa Monica-based Happy Returns’ value proposition was to take some of the overhead and cost out of the returns process for online retailers. Because online shoppers can’t inspect items they buy directly, online retail tends to see higher return rates, especially in apparel. Happy Returns found that online items are three to four times as likely to be returned than those purchased in store, for example.

Meanwhile, today’s retailers have to compete with giants like Amazon and Walmart, both which enable returns more easily for their customers by way of their large brick-and-mortar footprints — Amazon with Whole Foods’ other locations, and Walmart with its own stores. In fact, the foot traffic that offering an Amazon returns desk or locker system in-store has led retailers like Kohl’s and Stein Mart to embrace the enemy by catering to shoppers with Amazon returns in their own stores.

Today, the Happy Returns solution offers a combination of software, services and logistics that allows retailers to manage their returns through their own retail stores, by carrier, as well as through Happy Returns’ “Return Bar” locations. These are found in physical retail stores like Paper Source, Sur La Table, Cost Plus World Market and others. The service has been used by several digitally native brands, including Everlane, Rothy’s and Parachute Home, among others.

Happy Returns has also been closely working with PayPal throughout its history, it notes. And notably, PayPal made a strategic investment in the business in 2019, as part of an $11 million financing round.

Following the deal’s close, Happy Returns will continue to work with retailers and shoppers both on and off PayPal’s platform, it says. The company’s co-founders, David Sobie and Mark Geller, and its full 120+ team, will join PayPal, and will report to Frank Keller, SVP Consumer In-Store and Digital Commerce at PayPal.

In the ‘buy now, pay later’ wars, PayPal is primed for dominance

PayPal is not disclosing the deal terms. To date, Happy Returns had raised $25 million in funding.

“This is an incredibly exciting milestone for our company, and it would not have been possible without the hard work and dedication of our entire team,” an announcement on Happy Returns’ website reads. “We are so proud of what our team has accomplished and are grateful for the tenacity, creativity and empathy Happy Returns employees bring to work each day. We are confident that the best is yet to come, and are looking forward to our next chapter as part of the PayPal organization.”

Read more:


Legionfarm, pairing pro gamers with amateurs, raises $6 million Series A

Legionfarm, the gaming platform that lets gamers play with pro players in their favorite games, has today announced the close of a $6 million Series A round. Investors in the round include SVB, Y Combinator, Scrum VC, Kevin Lin, Altair Capital, Ankur Nagpal and more.

Legionfarm launched out of Y Combinator at the beginning of last year with a mission to give pro players a way to generate income and amateur players the chance to get better by playing with a pro coach. It started out with an à la carte business model but has since added a subscription product.

It either costs $12/hour to play on an individual session basis (one hour of play) or you can pay $25 or $50/month. That gives gamers access to discounted prices for pros and unlimited sessions with pros who are brand new to the platform, which Legionfarm calls “rookies.”

The company was founded by Alex Beliankin, who is a former pro gamer and was once in the top .01% of World of Warcraft players. There are many, many pro caliber players out in the world who can’t necessarily make a living off of gaming. They either have to be signed by an org (super limited supply) or play in as many tournaments as possible (unreliable) or stream on Twitch.

Legionfarm gives these pros the opportunity to earn a living playing the games they love.

YC-backed Legionfarm lets competitive gamers pay to play with pro coaches

Meanwhile, gamers are always looking to get better but don’t often have the environments in a game to do so, particularly in Battle Royale games. Legionfarm, which supports a couple of the biggest BRs (Call of Duty: Warzone and Apex Legends), allows these players to team up with pros and learn from them.

The startup is also running a hardware support program, which lets pros on the platform effectively rent gear by paying for it over time in installments that come directly out of their earnings each month.

“Recently, we’ve learned that one pro player can acquire seven or more new customers to the platform if we work with the pro properly,” said Beliankin. “That’s the biggest growth point for us and the biggest challenge. We don’t need to demand in the performance channels, but through existing supply. If we manage to build some sustainable processes here, I think we’re going to skyrocket because we see some huge potential here.”

VCs discuss gaming’s biggest infrastructure investment opportunities in 2021

Read more:


TypeScript 4.3 released with separate write types

Microsoft announced the release of TypeScript 4.3, which adds many new features such as separate write types on properties, ‘override’ and the ‘–noImplicitOverride’ flag, template string type improvements and more. 

With separate write types, developers can specify types for reading and writing to properties. TypeScript will only use the “reading” type when considering how two properties with the same name relate to each other. On the other hand, “writing” types are only considered when directly writing to a property.

RELATED CONTENT: TypeScript Handbook gets a rework

Microsoft also added the ‘override’ keyword in TypeScript 4.3 to overcome the issue that arises when a user can’t make it clear whether they mean to add a new method or to override an existing one. When a method is marked with ‘override,’ TypeScript will make sure that a method with the same name exists in the base class. 

Also, with the ‘noImplicitOverride’ flag,  it becomes an error to override any method from a superclass unless one explicitly uses an ‘override’ keyword.

As part of the new template string improvements, TypeScript will now handle the work to prove whether or not each part of a template string can successfully match so that developers can now mix template strings with different substitutions while TypeScript figures out if they’re compatible. 

TypeScript 4.3 also added methods and accessors to the elements that can be given #private #names to make them truly private at run-time.

In the new version, the ‘ConstructorParameters’ type helper now works on ‘abstract’ classes and TypeScript now includes slightly smarter type-narrowing logic on generic values, which allows it to accept more patterns. 

Other updates include always-truthy promise checks, static index signatures, .tsbuildinfo size improvements, lazier calculations in ‘–incremental’ and ‘–watch’ compilations, import statement completions, editor support for @link tags and more. 

Additional details on all of the new features in TypeScript 4.3 are available here.

The post TypeScript 4.3 released with separate write types appeared first on SD Times.

Read more:


Philippine e-commerce enabler Great Deals raises $30M Series B led by logistics firm Fast Group

Steve Sy, the CEO of Great Deals, and William Chiongban, CEO of Fast Group, sign the contract for the companies' strategic partnership

Steve Sy, CEO of Great Deals, and William Chiongbian II, CEO of Fast Group, sign the contract for the companies’ strategic partnership. Image Credits: Great Deals

Founded in 2014, Great Deals is an e-commerce enabler that helps brands like Abbot, L’Oréal and Unilever build their online retail operations in the Philippines. The startup announced today that it has raised $30 million in Series B funding led by Fast Group, one of the Philippines’ biggest logistics firms, with support from CVC Capital Partners. Navegar, which led Great Deals’ Series A, also returned for this round.

The transaction was advised by Rocket Equities. The investment by Fast Group, which has a fleet of more than 2,500 vehicles and 90,000 stores in its distribution network, marks the beginning of a strategic partnership. Great Deals will use part of the new capital to build an automated fulfillment center, and the deal will help it increase its penetration outside the Greater Manila Area and offer more Instant Commerce, or deliveries under one hour.

Philippines payment processing startup PayMongo lands $12 million Series A led by Stripe

Great Deals currently operates only in the Philippines, but plans to expand regionally next year, founder and chief executive officer Steve Sy told TechCrunch.

In a statement, Fast Group president and chief executive officer William Chiongbian II said, “The Fast Group sees a lot of synergies with Great Deals in building capacity. We are privileged to contribute to the growth of Philippine e-commerce, as it relies heavily on a strong supply chain backbone.”

Some of Great Deals’ other clients include Nestlé, Samsonite, GSK, Bayer and Fila. In addition to serving as an e-commerce distributor, it offers an end-to-end services for brands, including digital content production, marketing campaign coordination and management of marketplace listings (Great Deals’ partners include Lazada, Shopee, Zalora, Zilingo, Shopify and Magento).

The roadmap to startup consolidation in Southeast Asia is becoming clearer

Read more:


Atlassian releases new cloud app development platform: Forge

Atlassian announced that its next-generation cloud app development platform, Forge, is now generally available. 

Forge has been in beta since the beginning of 2020 and is designed to handle many of the maintenance aspects of app creation such as compliance, data management practices, scaling performance and security. 

“Forge is the culmination of over 2 years of work, during which we re-envisioned what modern cloud extensibility should look like in the next decade and beyond. We believe customers will increasingly ask for higher standards from app developers: everything from compliance and data management practices to scaling performance for tens of thousands of users,” Mike Tria, head of platform engineering, wrote in a post.

The solution is made up of three main components: a serverless Functions-as-a-Service (FaaS) hosted platform, a declarative UI language, and a DevOps toolchain, all of which serve three main pillars. 

The first pillar is that Forge allows developers to build Atlassian-wide applications that have all the power of the Atlassian platform including data residency for customers that want their data in a particular place, encryption, audit locking, and audit trails, high scale and performance and is built on Atlassian’s own cloud infrastructure. According to the company, more than 60% of Atlassian customers use at least one app or integration from the Marketplace to solve their specific needs.

“When you build an app for some for a third party, you’re hosting it yourself and you’re spinning up resources on AWS, Azure or GCP. You’re solving your own forms of compliance, you’re dealing with data residency and you’re dealing with running data,” Tria told SD Times. “In Forge, you write serverless code, and then Atlassian takes it from there, we host it and run it so you basically get the benefits of the platform.”

The second pillar is around security and enterprise, building enterprise capabilities such that every Forge app is an enterprise by default and can serve enterprise customers  in a more explicit way than Connect, Atlassian’s previous framework for extending Atlassian cloud products and an option for building apps on Jira Cloud since 2014.

Atlassian said that Connect will still have some use cases – especially in a transition to Forge that takes place over time. Atlassian will keep some elements of Connect (such as the ability to have remote storage instead of Forge-hosted storage), and gradually bring Connect and Forge together as part of a single cloud app development platform.

“In Connect, the way it worked prior is an application would just get access to really any data in your instance. With Forge, that’s really narrowed down so as a customer you can make a choice such as this app can just view issue data for this one API and things like that,” Tria said. “We want the Forge apps to be just as powerful, but we want more power in the hands of admins.”

For security, Forge uses OAuth 2.0 to support more granular scopes and makes sure that apps only access the data they need to perform a customer’s use case. 

Forge also lets developers keep customer data hosted in the Atlassian cloud, making it easier to comply with GDPR and other regulatory requirements and stated that it is working towards SOC2 certification for Forge, the company explained. 

The third pillar for the Forge platform is to enable developers to innovate faster.

“Getting an app up and running using Connect if you’re very good will take a few hours. With Forge it’s minutes,” Tria said. “Very much at the core of Forge is the speed of development. Again, there’s less heavy lifting. It’s all just done through a simple UI and a command line that we give to developers to run and deploy their stuff so there’s a DevOps toolchain that comes with Forge that Connect never had.”

Developers can use Forge to build apps that are publicly available for other people to download and install or they can charge for it on the Marketplace. If the company is an Atlassian customer, developers can build apps just for their own company that don’t get listed on the Marketplace as well. 

Recently, Atlassian also added distribution on the Atlassian Marketplace, and new apps like Link Management for Confluence, Visualize with AWS and Easy Subtask Templates have been listed. 

The post Atlassian releases new cloud app development platform: Forge appeared first on SD Times.

Read more:

Technology Videos


For copyright matters please contact us at:


1. ROPA Maus 5

2. ISEKI Sanae PRJ8

3. Spezia Tecnovict SCHIUMONE

4. Hansung T&I HSU Series

5. Ploeger BP2140e (Preview)

6. Oxbo 7440

7. FireFlyAutomatix R300–HHjo

8. Agrobot E-Series


10. Somaref M20

00:00 – ROPA Maus 5
01:18 – ISEKI Sanae PRJ8
02:29 – Spezia Tecnovict SCHIUMONE
03:30 – Hansung T&I HSU Series
04:36 – Ploeger BP2140e (Preview)
05:24 – Oxbo 7440
06:31 – FireFly Automatix R300
07:31 – Agrobot E-Series
08:24 – YANMAR PH1A
09:16 – Somaref M20

Read more: