FakeReporter, an Israel-based open-source intelligence service, uncovered that the incognito operation were able to track people affiliated with the bases while they jogged by adding fake “segments” to find out past routes of other users in the area.
Users of the app do not need to verify their location and therefore can claim they exercised in any geographical location and Strava has no means of gauging if uploads are real.
Achiya Schatz, the executive director of the group, told The Guardian newspaper: “We contacted the Israeli security forces as soon as we became aware of this security breach. After receiving approval from the security forces to proceed, FakeReporter contacted Strava, and they formed a senior team to address the issue.”
One of the examples shared with the newspaper found that an individual - believed to have connection to the Israeli nuclear programme - was able to be followed to other military bases and into other countries. A user, named ‘Ez Shehl’ - who listed their location as “Boston, Massachusetts” - entered an array of segments across military locations in Israel, such as intelligence agencies and bases associated with Mossad and the Shin Bet.
Achiya added: “By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike. ”
Strava responded by emphasising how “seriously” they take the issue and worked to “remedy” the issue.
The fitness app said: We take matters of privacy very seriously and have been made aware by an Israeli group, FakeReporter, of a segment issue regarding a specific user account and have taken the necessary steps to remedy this situation.
“We provide readily accessible information regarding how information is shared on Strava, and give every athlete the ability to make their own privacy selections. For more information on all of our privacy controls, please visit our privacy centre as we recommend that all athletes take the time to ensure their selections in Strava represent their intended experience.”
This is not the first time that the app - who boasts 95 million global users - has faced concerns about military security as a “heatmap” alerted people of the exercise paths of military personnel across the world, such as US bases in Syria.