The Cybernews research team says it’s uncovered a data leak involving Fitify, a popular iOS fitness app with over 25 million installs globally.
According to the report, researchers discovered that 373,000 sensitive user files — including 138,000 progress photos — were stored in a publicly accessible Google Cloud bucket — with no password protection or encryption at rest, meaning anyone could access them.
Cybernews says that among the leaked files were:
- 206,000 user profile photos
- 138,000 progress pictures uploaded by users to track fitness changes
- 13,000 AI coach message attachments, which may include images or text
- 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture)
Cybernews says that its research highlights include:
- Many of the exposed photos were semi-nude body scans, captured by users trying to document weight loss or muscle growth.
- Fitify promises encryption in transit, but the lack of basic access controls poses serious privacy risks.
- Researchers also found hardcoded secrets embedded in the app’s code — including Google API and Client IDs, Firebase database URLs, Facebook tokens, and even an Algolia API key, which wasn’t disclosed in the privacy policy.
- These exposed credentials could let attackers access backend infrastructure, impersonate users, or inject malicious content.
To read the full research report and see samples of screenshots, click here. Cybernews is “an independent media outlet, where journalists and security experts debunk cyber by research, testing and data.”
I hope you’ll help support Apple World Today by becoming a patron. All our income is from Patreon support and sponsored posts. Patreon pricing ranges from $2 to $10 a month. Thanks in advance for your support.
