Other peoples activities are synced to my accounts

[thijsadrmat]

Hi, It seems that the live version contains a problem where random activities of other people get synced to my accounts. On Runkeeper there are now around 600 activities that are not mine. I was able to unlink most of my accounts in time to prevent this from happening. On Twitter I found a couple of other people complaining about this issue. It seems to be a serious problem.

I hope this can be resolved soon, since I like this service a lot!

Thanks and goodbye

[chrislukic]

@cpfair This is a huge issue. When a request to Garmin is not authorized, instead of returning an appropriate http status code. Garmin instead now returns hundreds of runs of "test data". To fix this you will need to search the returned data for the string "ROLE_SYSTEM" and treat its presence as a 401 error.

Note the url below can now be called without authentication. https://connect.garmin.com/modern/proxy/activitylist-service/activities/search/activities?start=0&limit=10

[Antash]

@chrislukic thank you for the investigation!

[cpfair]

@chrislukic is correct, this is an unexpected change in Garmin's API behaviour that resulted in unknown, already publicly-accessible activities being returned instead of the user's own activities.

I turned off the site just over an hour ago to stop further bad synchronization, and plan to investigate the underlying issue ASAP.

For anyone concerned about compromise of their own activity data: all the incorrectly synchronized activities came from a Garmin-internal account, presumably used for their own testing purposes. No tapiriik users have had their own activities leaked to another user's account.

[Nalla306]

Is there any way of automatically removing all these activities? I have nearly 1000 of other peoples activities now on my strava dating back to December last year and its made all my training data,challenges and stats for the year useless. It would take months to manually delete them all. Thanks