A new report claims that the activity-tracking social network Strava — already knocked off stride when it was revealed that its users were unwittingly mapping out secret U.S. military bases overseas — has a major privacy problem: it can publicly reveal where its users live.

To make matters worse, the report from the mobile-security firm Wandera says this problem occurs when users try to mark their homes or other sensitive spots as private, not because of any failure to enable the right privacy settings.

In fewer words, people who followed the company’s advice about how to keep their home addresses private may have instead made them easier to find.

A Venn diagram of risk

The post by Wandera, one of a new crop of firms specializing in mobile security, explains how Strava’s “Privacy Zones” feature can pinpoint a runner or cyclist because these zones are represented as identical circles of on a map. The circles then block out where you start or end a run.

(Warning, geometry ahead.)

“Using the ending points of an activity, it is possible to determine which radius option was selected by the user and then to triangulate the exact location of the selected address,” the report says. “As the privacy zone is of equal size in each activity, it’s possible to represent this graphically by increasing the radius of circles around each activity end marker until three or more circles intersect.”

Think of the Venn diagrams that have become their own internet meme, except that in this case they let other people know where you live, or at least where you keep your expensive, carbon-fiber road bicycle.

“The re-identification strategy discussed here (points on a circle) appears to be effective and quite problematic,” said Stacey Gray, policy counsel with the Future of Privacy Forum, a Washington D.C.-based think tank. “It might be unique to Strava … I’m not aware of any other fitness app that allows similar radius-based zones of privacy.”

Strava’s sole comment on privacy issues after the military-bases story broke — along with the subsequent documentation by developer Steve Loughran of how to track a stranger on Strava by uploading a fake activity-route log — had been a January 29 open letter posted on Strava’s site by CEO James Quarles.

The post says the San Francisco-based company is “reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent” and is working on “simplifying our privacy and safety features.”

But on Wednesday, Strava spokesman Andrew Vontz addressed Wandera’s report specifically. “While Strava’s engineering team has been working to augment and improve privacy options well before we were contacted by this company and others, we appreciate their interest in our platform,” he said. “In the coming weeks Strava will be rolling out more privacy options for users.”