‘Unpatched’ vulnerabilities in Wodify fitness management platform allow attackers to steal gym payments, extract member data

&#13
Emma Woollacott

13 August 2021 at 12:00 UTC

Updated: 13 August 2021 at 12:02 UTC

Particular trainers urged to exercise warning over alleged protection flaws

Security scientists have uncovered three vulnerabilities in fitness and gymnasium administration application Wodify that could permit an authenticated consumer to modify generation facts and extract sensitive personal details.

Wodify is utilised by additional than 5,000 gyms about the globe to manage their enterprise. It is greatly used with CrossFit bins as a overall performance tracking app, generally in the US, as well as for processing membership payments.

Having said that, according to researchers from Bishop Fox, a combination of 3 vulnerabilities, rated substantial chance, could enable an attacker to go through and modify knowledge – and probably tamper with payment configurations.

The flaws are all however unpatched, the researchers assert, following an unsuccessful coordinated disclosure process that has been dragging on for 50 percent a 12 months.

(Health and fitness center) session hijack

Initially, an insecure direct object references (IDOR) vulnerability authorized the workouts of all customers of the Wodify platform to be study and modified, the Bishop Fox crew explains in a specialized analysis write-up out these days (August 13).

Because this accessibility wasn’t restricted to a one gym, box, or tenant, all entries globally could be viewed and altered.

This could allow an attacker to insert malicious stored JavaScript payloads, opening the doorway to cross-web-site scripting (XSS) exploits. The attacker could then hijack a user’s session, steal a hashed password, or steal the user’s JSON Net Token (JWT).

YOU Could ALSO LIKE Info breach at US squander management business exposes employees’ healthcare details

Attackers could even siphon payments to by themselves, Dardan Prebreza, senior safety specialist at Bishop Fox and the guide researcher at the rear of the advisory, tells The Everyday Swig.

“The economical hurt could be impacting the fitness center or CrossFit boxes’ entrepreneurs, as compromising their accounts would let the attacker to ultimately update payments configurations, and consequently have members shell out the attacker alternatively of the respectable proprietors,” he claims.

Disclosure pushbacks

The Bishop Fox workforce to start with found out the challenge on January 7, and contacted Wodify on 12 February. A repair was seemingly promised for various dates, most recently August 5.

“It has been quite hard to get in contact with them. It took virtually two months until finally they acknowledged the vulnerabilities, and only by right achieving out to their CEO by way of e mail, which then place me in touch with their new head of technologies back again in April,” suggests Prebreza.

Read extra of the most up-to-date security vulnerability information

“They had been intended to release the new patched edition in May perhaps, which then bought pushed again quite a few occasions. Last time they replied to us, they described August 5 as the remaining launch day.”

The Everyday Swig has approached Wodify for remark, and will update as and when the corporation responds.

Meanwhile, warns Bishop Fox in its advisory: “Wodify has not confirmed a patch nonetheless. We advise Wodify prospects to attain out to Wodify.”

Advised Leading hacks from Black Hat and DEF CON 2021