Nick Waters, a researcher for Bellingcat, claims to have found a way to reveal the secret identities of UK's elite SAS unit members by using the Strava fitness application, he said in an interview with the Daily Mail.
Waters abused Strava's feature allowing users to see personal information, such as full names, of those who ran the same route as you. So, if the app sees that a user ran a lap, say, inside the SAS base in Hereford, it would easily reveal the data on all of those anonymous SAS soldiers using the same app.
This Strava data-set is incredible. Looking into South Sudan and finding someone (possibly UNHCR?) who's worn themselves out doing laps of the Bunj airstrip. You can probably even work out which tent/building they live in. pic.twitter.com/UmbcQzVsH1— Nick Waters (@N_Waters89) January 27, 2018
There only problem would be to get inside the elite military base as it is locked to ordinary civilians. But Waters found a workaround this problem, since feeding Strava fake data would make it believe you actually had a training session inside that base.
"I made up my own training session and convinced Strava that I had run a certain distance in a certain time inside the base. The app then started giving me the names and Facebook profiles of people who had actually run the same route", he detailed.
Using this method, Waters got his hands on the names of 14 SAS servicemen in a mere five minutes, adding that he "freaked out" over how easy it was to have access to information he is obviously not supposed to know.
"It shows how social media is an incredibly powerful monitoring tool and it can be used by anyone to access personal information", the researcher noted.
The Strava fitness app has recently become notably effective in revealing military secrets. In 2018, the authors of the app published a global heatmap for training activities, featuring several anomalies – small hotspots located in war zones surrounded by "dark" cities. At the time, several researchers, including from Bellingcat, suggested that the hotspots indicated the presence of secret military bases where troops used Strava for training sessions, oblivious to having their location be outed.
Following the incident, The Pentagon banned the use of fitness apps and trackers on its military bases worldwide, to prevent further exposure of sensitive military data.