Fitbit develops various fitness devices (bands, smartwatches) that provide users with information like the number of steps walked.
Security researcher Kevin Breen, threat research director at Immersive labs, warn that malicious apps can be uploaded to Fitbit domains. This allows attackers to trick users into adding apps to obtain the wealth of personal information typically collected from Fitbit device sensors or the phone.
Breen made a test attempt to upload a malicious app to Fitbit domain and was successful.
“Essentially, it could send device type and location, user information such as gender, age, height, heart rate and weight as well as accessing calendar info. Whilst this doesn’t include PII profile data the calendar invites could expose additional information such as names and locations,” stated the researcher.