A rash of security flaws in the Outdoor Tech CHIPS smart headphones, which fit in ski helmets, allow bad actors to collect data like emails, passwords, GPS location – and even listen to conversations in real time.

Researchers have found a slew of vulnerabilities in a pair of smart headphones designed to fit under ski helmets. The flaws could allow a bad actor to view victims’ personal information, track them and even listen to their private conversations via the headphones’ walkie-talkie function, which uses mobile data and a phone app.

Researchers with Pen Test Partners discovered the rash of security flaws in Outdoor Tech CHIPS smart headphones.

“We speculate that the development house wasn’t following OWASP [Open Web Application Security Project] secure development practices, and Outdoor Tech wasn’t sufficiently versed in security to query this,” Pen Test Partners researcher Alan Monie said in a Monday analysis. “A shame, as we really like the product, but its security is sorely lacking. Even intended functionality leaks personally identifiable information (PII). That’s crazy.”

After realizing that the walkie-talkie function leaked PII, Monie initially decided to analyze the headphones: “The walkie-talkie app got my attention,” he said. “I began setting up a group and noticed that I could see all users. I started searching for my own name and found that I could retrieve every user with the same name in their account.”

Monie discovered that through an insecure direct object reference (IDOR) glitch he was able to carry out a range of malicious activities. IDOR bugs allow retrieval of information based on some key value that is under user control (e.g. a value the user submits or a URL string that can be manipulated by the user). The key would typically identify and fetch a user-related record stored in the system; however, when this is improperly handled the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence allowing an attacker to bypass any other authorization checks present in the system.

In this specific scenario, an attacker could pull all the users and email addresses from the API, retrieving password hashes and password-reset codes in plain text, and view users’ phone numbers.

But beyond stealing personal information, bad actors could also extract users’ real-time GPS positions and listen to real-time walkie-talkie chats.

Monie also told Threatpost that anyone can download Outdoor Tech’s audio app on the App Store, and can then self-register an account and compromise any other user account remotely.

“Obviously, I only pulled data that was mine or my friends with their permission,” he said. “Anyone with less ethical intentions could do much worse.”

Making matters worse, after several attempts of notifying Outdoor Tech of the vulnerability starting on Feb. 6, researchers said the company did not acknowledge the security issue.

“We chased them again seven days later on 20th February, pointing out that we would now be publicly disclosing, as the vulnerability hadn’t been acknowledged and no remediation actions had been proposed,” said Monie. “We’ve heard nothing since.”

Outdoor Tech did not respond to a request for comment from Threatpost.