Running Away from Security - Web App Vulnerabilities and OSINT Collide

Explore the intersection of web application security vulnerabilities and Open Source Intelligence (OSINT) in this BSides Boston 2015 conference talk. Delve into an experiment that reveals the potential risks of sharing personal data on fitness tracking platforms. Examine how seemingly innocuous information can be exploited through techniques like source code analysis and large-scale data requests. Follow along as the speaker demonstrates OSINT techniques to uncover detailed profiles of individuals using popular fitness apps. Investigate the double standards in data privacy and the social motivations behind oversharing. Learn how to use tools like Recon-ng for efficient OSINT gathering across multiple platforms. Discover unexpected uses of fitness apps beyond their intended purposes, including nature preserve patrols and soft drink promotions. Conclude with practical advice on protecting your online presence and understanding your own OSINT profile.

Intro
An Experiment
If anyone in the world knew...
Our Data on the Internet
Selling Our Data
It all started with some exercise
The issue is in the Numbers
Look at the page source
Responsible disclosure attempt
Strava Response
But how could I get the data?
Make 800,000+ requests for random activities
What could someone do with it?
OSINT in a Nutshell
Let's meet Sandra K. on Strava
Finding Sandra K.
What about other fitness sites?
Let's meet Janna on fitbit
Garmin's site
There is a Double Standard
Need to belong/be social
This is Trisha on fitbit
Trisha Recap
Putting it all together: Mind Map
Recon-ng: Profiler Module Search 190 sites per username x 3 names = 30secs
These apps aren't just for fitness!
What are these "patrols"?
Nature Preserve Patrol
Soft Drink Anyone?
The unexplainable
What is your OSINT profile?
Protect yourself.