ADVERTISEMENT

Popular fitness app Fitify exposes 138K user progress photos

Fitify’s publicly accessible Google cloud storage bucket has exposed hundreds of thousands of files. Some of the files were user-uploaded progress pictures.

Fitify app leaks user photos

Image by Cybernews.

Vilius Petkauskas
Vilius Petkauskas Deputy Editor
Jul 16, 2025 Updated: 18 July 2025 5 min read
Key takeaways:
Fitify app leaks user photos
Sample of the leaked data. Image by Cybernews.
“It is also worthwhile to note that 'progress pictures' and ‘body scans’ are often captured with minimal clothing to better showcase the progress of weight loss and muscle growth. Therefore, most of the leaked images might be of the types that users normally would like to keep private and not share with anyone on the internet,”
researchers said.

What’s the extent of the Fitify data leak?

Fitify app leaks user photos
Sample of the leaked data. Image by Cybernews.
Stefanie Niamh Ancell BW Paulina Okunyte Konstancija Gasaityte profile
Stay informed and get our latest stories on Google News
Add us as your Preferred Source on Google.
ADVERTISEMENT

What hardcoded secrets did the Fitify app expose?

  • Android Client ID
  • Google Client ID
  • Google API Key
  • Firebase URL
  • Google App ID
  • Project ID
  • Storage Bucket
Fitify app leaks user photos
Image by Cybernews.
  • Android Client ID
  • Google Client ID
  • Google API Key
  • Firebase URL
  • Google App ID
  • Project ID
  • Storage Bucket
  • Facebook App ID
  • Facebook Client Token
  • Firebase Dynamic Custom Domains
  • Algolia API Key
Has my data been leaked?

How to fix leaky apps?

  • Configuring the cloud storage buckets' built-in authentication features to restrict access to only the employees and systems that are meant to access the stored data.
  • Leaked credentials need to be revoked, new credentials should be generated and stored securely within the company-controlled servers, access control settings need to be reviewed for the exposed endpoints, and it is recommended to perform an audit to determine if these vulnerabilities and misconfigurations were exploited by malicious actors. The application needs to be updated to be compatible with the new, more secure infrastructure.

  • Leak discovered: May 7th, 2025
  • Initial disclosure: May 16th, 2025
  • CERT contacted: May 29th, 2025
  • Leak closed: June 9th, 2025
ADVERTISEMENT