How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?

How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?

Investigators discover that the vulnerabilities in the Wodify fitness platform that permits the threat actor to view and modify user’s workouts from any of the more than 5,000 gyms that use the solution across the world.

User information such as personal, workout, payments may still be at high risk since Wodify has yet to confirm the rollout of the flaw, despite being given extensive time to address the security issues.

Wodify is an all-in-one fitness platform used by more than 5,000 gyms across the world. Apart from facilitating membership management options, it can also help its client to achieve their goals and better track their performance.

This platform addresses both coaches and athletes and features such as the automated billing system, allow creating the custom workouts, class scheduling, and tracking fitness data (for example heart rate) in real-time.

Modifying User Workout Information

In a report posted, experts at cybersecurity company Bishop Fox revealed a set of vulnerabilities in the Wodify platform that could impact not only the users’ workout and personal information but also the financials of that particular gym.

Exploiting such flaws permit calculating and changing the entries in the Wodify platform from all the gyms that use Wodify, says Dardan Prebreza, the Senior Security Consultant at Bishop Fox. Despite the requirement of authentication, the concerns have serious indications.

“While modifying the data, an attacker could insert malicious stored JavaScript payloads, leading to XSS. This could be leveraged to hijack a user’s session, steal a hashed password, or the user’s JWT through the Sensitive Information Disclosure vulnerability” – Dardan Prebreza.

By negotiating administrative gym accounts the investigators say, a financially motivated threat attacker could edit payment set to hijack the payment from gym members. One of the vulnerabilities refers to a lack of authorization controls, which could serve to calculate the users and modify their data in the Wodify Platform.

Extracting the bug needs authentication. The investigator tested this flaw successfully after getting consent from a Wodify customer to access their account.

How-Flaws-in-Gym-Management-Software-Permits-Hackers-Wipe-Fitness History-image1

The type of access permitted inserting malicious code that would harm their users on that platform, “including instance or gym administrators,” via cross-site scripting (XSS) attacks.

By adding a malicious JavaScript payload in the target user’s workout comment, the investigator triggered the XSS vulnerability that could permit an attacker to modify all Wodify user’s workout data, results included.   

How-Flaws-in-Gym-Management-Software-Permits-Hackers-Wipe-Fitness History-image2

Moreover, it has been revealed from the investigation that four preserved XSS vulnerabilities in the Wodify application. The rights of the regular users are sufficient to plant malicious JavaScript in a workout result that would directly trigger an XSS flaw.

If the threat actor gained administrative access over a specific gym in this manner, they would be able to make changes in their payment settings, as well as access and update other user’s data said Dardan Prebreza. The other vulnerability in the Wodify application discloses crucial user data and permitting stealing sessions with the help of an XSS flaw.    

Why the Patch is not yet confirmed?

Prebreza first alert Wodify of his searches more than half a year ago and was told in April that these flaws would be fixed within 90 days. The researcher told our experts that transmission with Wodify has been very tedious and it took the organization a long time to acknowledge the vulnerabilities.

“It took almost two months until they acknowledged the vulnerabilities and only by directly reaching out to their CEO through email, which then put me in touch with their new head of technology back in April.”

“They were supposed to release the new patched version in May, which then got inserted back some times. Last time they told to us, they mentioned August 5th as the final release date,” the researcher said.

As per the disclosure timeline from Bishop Fox, Wodify was supposed to release a new version of the app on June 11 but delayed the update for August 5. However, Bishop Fox says they have not heard from the vendor since July 13 and are unaware if a patch has been released to customers.

Leave a Reply