Tracking president : The hidden OSINT Power of Strava heatmap’s

BillyTheSkid
3 min readOct 28, 2024

--

Recent revelations from Le Monde about the Strava data from President Macron’s bodyguards revealed their exact locations and routes, indirectly exposing his position.

Strava, une histoire émaillée de failles de sécurité

When questioned about this security breach, the Élysée responded nonchalantly, stating, “It is not a problem,” showing a concerning disregard for the potential risks to Macron and the safety of his team and their families.

Where the security flaw start

Pierre, a member of France’s elite presidential protection unit, regularly records his jogging routes on Strava. His runs, typically in sensitive locations like the Élysée Palace, might seem harmless; however, they offer a digital trail that could compromise both his safety and the President’s one.

Le Monde found that Pierre wasn’t the only one; profiles of 12 agents were openly available, each unwittingly broadcasting the routes of their jogs across various cities worldwide, coinciding with presidential trips. These routes were not just random paths but often led directly to specific hotels and secure locations where French President Emmanuel Macron or his team stayed.

For instance, in 2020, just three days before Macron’s arrival in Vilnius, Pierre’s run ended at a five-star hotel, the Grand Hotel Vilnius, precisely where Macron would later stay.

“It’s not a problem” says the Élysée

Over a few weeks of basic online research, the Le Monde team managed to pinpoint the President’s exact hotel ten times based on these jogging routes. For example, ahead of the Queen of England’s funeral in 2022, two bodyguards ran close to the Hotel Savoy in London — where Macron eventually stayed, a fact later confirmed through social media posts.

This revelation poses severe security implications. If casual research on an app like Strava could identify high-profile movements, the resources of an intelligence agency could yield even more concerning results. Despite warnings, as of Le Monde’s last checks, nine of the twelve identified Strava profiles remained public…

The Larger Implications of Strava in OSINT

This security flaw is not limited to the French presidency. It represents a growing concern globally, as high-profile figures and their security teams unknowingly broadcast sensitive data through popular fitness applications.

The last big exemple of this security flaw was exposition of secret bases and patrol routes :

Strava Data Heat Maps Expose Military Base Locations Around the World | WIRED

What about you, a Strava user that love posting your amazing workout on Instagram ?

Lastly, I want to discuss an other aspect of Strava OSINT issue.

Many users post their Strava workouts on their stories in snapshat, instagram, … often including screenshots of their personal view in the app. When you publish a Strava exercise, the app hides the start and end points to protect your home address :

Your exercice POV

But what happens if you share a screenshot of your personal view? In that view, the start and end points aren’t masked.

So please be careful !

--

--

No responses yet