iOS Fitness app Fitify exposes 138K user private photos
Posted: Wed Jul 16, 2025 7:43 pm
The Cybernews research team has uncovered data leak involving Fitify, a popular fitness app with over 25 million installs globally. Researchers discovered that 373,000 sensitive user files — including 138,000 progress photos — were stored in a publicly accessible Google Cloud bucket — with no password protection or encryption at rest, meaning anyone could access them.
Among the leaked files were:
206,000 user profile photos
138,000 progress pictures uploaded by users to track fitness changes
13,000 AI coach message attachments, which may include images or text
6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture)
Key research highlights
Many of the exposed photos were semi-nude body scans, captured by users trying to document weight loss or muscle growth.
Fitify promises encryption in transit, but the lack of basic access controls poses serious privacy risks.
Researchers also found hardcoded secrets embedded in the app’s code — including Google API and Client IDs, Firebase database URLs, Facebook tokens, and even an Algolia API key, which wasn't disclosed in the privacy policy.
These exposed credentials could let attackers access backend infrastructure, impersonate users, or inject malicious content.
Among the leaked files were:
206,000 user profile photos
138,000 progress pictures uploaded by users to track fitness changes
13,000 AI coach message attachments, which may include images or text
6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture)
Key research highlights
Many of the exposed photos were semi-nude body scans, captured by users trying to document weight loss or muscle growth.
Fitify promises encryption in transit, but the lack of basic access controls poses serious privacy risks.
Researchers also found hardcoded secrets embedded in the app’s code — including Google API and Client IDs, Firebase database URLs, Facebook tokens, and even an Algolia API key, which wasn't disclosed in the privacy policy.
These exposed credentials could let attackers access backend infrastructure, impersonate users, or inject malicious content.