The Strava fitness-tracking app is being used to spy upon members of the Israeli military, tracking their movements at secret bases across the country and potentially even help observe their activities when they travel overseas.
That's the finding of FakeReporter, an Israeli open-source intelligence operation, which says it identified the surveillance campaign was used to gather data on at least 100 individuals who exercised at six secret military bases.
The popular Strava app allows fitness fanatics to define "segments" - portions of road or trail where athletes can compare times. Segments can be created either directly through the Strava app. or by uploading GPS data from other services.
However, Strava has no way of knowing whether GPS data uploaded to its service to create a segment is legitimate or not.
And it's one set of such seemingly faked segments - made by a user who gave their location as Boston, MA, but uploaded fake segments at Israeli military establishments, intelligence agency outposts, and supposedly secure bases associated with Israel's nuclear programme - which have rung alarm bells.
In a series of tweets, FakeReporter claims that the personal information of users’ serving in the classified facilities was exposed, including details of their family members, colleagues, home addresses, and overseas travel history.
As a consequence, individuals working undercover could be identified, and national security could be jeopardised, argues FakeReporter.
"By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike," FakeReporter's executive director Achiya Schatz told The Guardian.
Worryingly, the surveillance technique manages to bypass some of the privacy features built into Strava. For instance, although Strava users can set their profiles to be visible to “approved followers only”, individual runs must be individually secured or else a user's profile picture, first name and initial are shown on segments to encourage others to compete.
With enough segments scattered across the map, individuals can still be identified: one user, for instance, tracked their participation in a publicly reported race, which they won, as well as running in secure military establishments.
For its part, Strava says that it takes user privacy "very seriously", and allows users to make individual choices about what they decide to share.
"We recommend that all athletes take the time to ensure their selections in Strava represent their intended experience," says the company.
Back in early 2018, Australian researcher Nathan Ruser revealed that a new Strava heatmap feature was unwittingly revealing the movement patterns of security forces at military bases around the world, as soldiers jogged and patrolled.