Home Internet Security Bugs in gym management software let hackers change user workout results

Bugs in gym management software let hackers change user workout results


Multiple vulnerabilities in Wodify fitness management platform

Safety researchers discovered vulnerabilities within the Wodify health platform that permits an attacker to view and modify person exercises from any of the greater than 5,000 gyms that use the answer worldwide.

Consumer information (e.g. private, exercise, funds) might at present be in danger since Wodify has but to verify the roll out of a patch, regardless of being given ample time to handle the safety points.

Wodify is an all-in-one platform utilized by greater than 5,000 gyms worldwide. Aside from providing membership administration choices, it could actually additionally assist purchasers obtain their objectives and higher monitor their efficiency.

The platform addresses each coaches and athletes and options an automatic billing system, class scheduling, permits creating customized exercises, and monitoring health information (e.g. coronary heart price) in real-time.

Altering person exercise information

In a report printed immediately, researchers at cybersecurity firm Bishop Fox disclosed a set of vulnerabilities within the Wodify platform that would have an effect on not solely customers’ exercises and private info but additionally the financials of a gymnasium.

Exploiting the failings permits enumerating and modifying entries within the Wodify platform from all of the gyms that use it, says Dardan Prebreza, Senior Safety Advisor at Bishop Fox. Regardless of the necessity to authenticate, the problems have severe implications.

“Whereas modifying the info, an attacker might insert malicious saved JavaScript payloads, resulting in XSS. This may very well be leveraged to hijack a person’s session, steal a hashed password, or the person’s JWT via the Delicate Data Disclosure vulnerability” – Dardan Prebreza

By compromising administrative gymnasium accounts, the researcher says, a financially motivated attacker might edit cost settings to steal the cash from gymnasium members.

One of many vulnerabilities refers to inadequate authorization controls, which might serve to enumerate customers and alter their information within the Wodify platform.

Leveraging the bug requires authentication. The researcher examined this bug efficiently after getting consent from a Wodify buyer to make use of their account.

Enumerating user IDs in Wodify fitness management app

This type of entry allowed inserting malicious code that will affect different customers on the platform, “together with occasion or gymnasium directors,” by way of cross-site scripting (XSS) assaults.

By including a malicious JavaScript payload within the goal person’s exercise remark, the researcher triggered the XSS vulnerability that will allow altering all Wodify customers’ exercise information, outcomes included.

XSS triggered in Wodify fitness management app

Additional investigation revealed 4 saved XSS vulnerabilities within the Wodify software. Privileges of a daily person are ample to plant malicious JavaScript in a exercise end result that will set off an XSS bug.

A person loading that web page would set off prompted the attacker’s code to run, doubtlessly giving them administrative entry to the goal gymnasium’s software.

“If an attacker gained administrative entry over a selected gymnasium on this method, they might have the ability to make adjustments to cost settings, in addition to entry and replace different customers’ private info” – Dardan Prebreza

One other vulnerability within the Wodify software exposes delicate person info and permits hijacking classes with the assistance of an XSS flaw.

A patch will not be confirmed

Prebreza first notified Wodify of his findings greater than half a 12 months in the past and was informed in April that the bugs could be mounted inside 90 days.

The researcher informed BleepingComputer that communication with Wodify has been very tough and it took the corporate a very long time to acknowledge the vulnerabilities.

“It took nearly two months till they acknowledged the vulnerabilities and solely by straight reaching out to their CEO by way of electronic mail, which then put me in contact with their new head of know-how again in April.”

“They had been imagined to launch the brand new/patched model in Could, which then acquired pushed again a number of occasions. Final time they replied to us, they talked about August fifth as the ultimate launch date,” the researcher mentioned.

Based on the disclosure timeline from Bishop Fox, Wodify was imagined to launch a brand new model of the app on June 11 however delayed the replace for August 5.

Nonetheless, Bishop Fox says they haven’t heard from the seller since July 13 and are unaware if a patch has been launched to clients.

BleepingComputer has reached out to Wodify however has not heard again by publishing time.

Source link