{"id":2848,"date":"2021-08-14T14:35:24","date_gmt":"2021-08-14T09:05:24","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2848"},"modified":"2021-08-14T14:35:29","modified_gmt":"2021-08-14T09:05:29","slug":"how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/","title":{"rendered":"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?"},"content":{"rendered":"\n

Investigators discover that the vulnerabilities in the Wodify fitness platform that permits the threat actor to view and modify user’s workouts from any of the more than 5,000 gyms that use the solution across the world.<\/p><\/p>\n\n\n\n

User information such as personal, workout, payments may still be at high risk since Wodify has yet to confirm the rollout of the flaw, despite being given extensive time to address the security issues.<\/p><\/p>\n\n\n\n

Wodify is an all-in-one fitness platform used by more than 5,000 gyms across the world. Apart from facilitating membership management options, it can also help its client to achieve their goals and better track their performance.<\/p><\/p>\n\n\n\n

This platform addresses both coaches and athletes and features such as the automated billing system, allow creating the custom workouts, class scheduling, and tracking fitness data (for example heart rate) in real-time.<\/p><\/p>\n\n\n\n

Modifying User Workout Information<\/strong><\/h2>\n\n\n\n

In a report posted, experts at cybersecurity company Bishop Fox revealed a set of vulnerabilities in the Wodify platform that could impact not only the users\u2019 workout and personal information but also the financials of that particular gym.<\/p><\/p>\n\n\n\n

Exploiting such flaws permit calculating and changing the entries in the Wodify platform from all the gyms that use Wodify, says Dardan Prebreza, the Senior Security Consultant at Bishop Fox. Despite the requirement of authentication, the concerns have serious indications.<\/p><\/p>\n\n\n\n

\u201cWhile modifying the data, an attacker could insert malicious stored JavaScript payloads, leading to XSS. This could be leveraged to hijack a user\u2019s session, steal a hashed password, or the user\u2019s JWT through the Sensitive Information Disclosure vulnerability\u201d – Dardan Prebreza.<\/p><\/p>\n\n\n\n

By negotiating administrative gym accounts the investigators say, a financially motivated threat attacker could edit payment set to hijack the payment from gym members. One of the vulnerabilities refers to a lack of authorization controls, which could serve to calculate the users and modify their data in the Wodify Platform.<\/p><\/p>\n\n\n\n

Extracting the bug needs authentication. The investigator tested this flaw successfully after getting consent from a Wodify customer to access their account.<\/p><\/p>\n\n\n\n

\"How-Flaws-in-Gym-Management-Software-Permits-Hackers-Wipe-Fitness<\/figure><\/div>\n\n\n\n

The type of access permitted inserting malicious code that would harm their users on that platform, \u201cincluding instance or gym administrators,\u201d via cross-site scripting (XSS) attacks.<\/p><\/p>\n\n\n\n

By adding a malicious JavaScript payload in the target user\u2019s workout comment, the investigator triggered the XSS vulnerability that could permit an attacker to modify all Wodify user’s workout data, results included.   <\/p><\/p>\n\n\n\n

\"How-Flaws-in-Gym-Management-Software-Permits-Hackers-Wipe-Fitness<\/figure><\/div>\n\n\n\n

Moreover, it has been revealed from the investigation that four preserved XSS vulnerabilities in the Wodify application. The rights of the regular users are sufficient to plant malicious JavaScript in a workout result that would directly trigger an XSS flaw.<\/p><\/p>\n\n\n\n

If the threat actor gained administrative access over a specific gym in this manner, they would be able to make changes in their payment settings, as well as access and update other user\u2019s data said Dardan Prebreza. The other vulnerability in the Wodify application discloses crucial user data and permitting stealing sessions with the help of an XSS flaw.    <\/p><\/p>\n\n\n\n

Why the Patch is not yet confirmed?<\/strong><\/h2>\n\n\n\n

Prebreza first alert Wodify of his searches more than half a year ago and was told in April that these flaws would be fixed within 90 days. The researcher told our experts that transmission with Wodify has been very tedious and it took the organization a long time to acknowledge the vulnerabilities.<\/p><\/p>\n\n\n\n

\u201cIt took almost two months until they acknowledged the vulnerabilities and only by directly reaching out to their CEO through email, which then put me in touch with their new head of technology back in April.”<\/p><\/p>\n\n\n\n

\u201cThey were supposed to release the new patched version in May, which then got inserted back some times. Last time they told to us, they mentioned August 5th as the final release date,\u201d the researcher said.<\/p><\/p>\n\n\n\n

As per the disclosure timeline from Bishop Fox, Wodify was supposed to release a new version of the app on June 11 but delayed the update for August 5. However, Bishop Fox says they have not heard from the vendor since July 13 and are unaware if a patch has been released to customers.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

Investigators discover that the vulnerabilities in the Wodify fitness platform that permits the threat actor to view and modify user’s workouts from any of the more than 5,000 gyms that use the solution across the world. User information such as personal, workout, payments may still be at high risk since Wodify has yet to confirm […]<\/p>\n","protected":false},"author":2,"featured_media":2850,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"\nHow Flaws in Gym Management Software Permits Hackers Wipe Fitness History? - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History? - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Investigators discover that the vulnerabilities in the Wodify fitness platform that permits the threat actor to view and modify user’s workouts from any of the more than 5,000 gyms that use the solution across the world. User information such as personal, workout, payments may still be at high risk since Wodify has yet to confirm […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-14T09:05:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-14T09:05:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Flaws-in-Gym-Management-Software-Permits-Hackers-Wipe-Fitness-History-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"524\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?\",\"datePublished\":\"2021-08-14T09:05:24+00:00\",\"dateModified\":\"2021-08-14T09:05:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\"},\"wordCount\":691,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\",\"url\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\",\"name\":\"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History? - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-08-14T09:05:24+00:00\",\"dateModified\":\"2021-08-14T09:05:29+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History? - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/","og_locale":"en_US","og_type":"article","og_title":"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History? - Xiarch Solutions Private Limited","og_description":"Investigators discover that the vulnerabilities in the Wodify fitness platform that permits the threat actor to view and modify user’s workouts from any of the more than 5,000 gyms that use the solution across the world. User information such as personal, workout, payments may still be at high risk since Wodify has yet to confirm […]","og_url":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-08-14T09:05:24+00:00","article_modified_time":"2021-08-14T09:05:29+00:00","og_image":[{"width":1000,"height":524,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Flaws-in-Gym-Management-Software-Permits-Hackers-Wipe-Fitness-History-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?","datePublished":"2021-08-14T09:05:24+00:00","dateModified":"2021-08-14T09:05:29+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/"},"wordCount":691,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/","url":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/","name":"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History? - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-08-14T09:05:24+00:00","dateModified":"2021-08-14T09:05:29+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/how-flaws-in-gym-management-software-permits-hackers-wipe-fitness-history\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How Flaws in Gym Management Software Permits Hackers Wipe Fitness History?"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2848"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2848"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2848\/revisions"}],"predecessor-version":[{"id":2853,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2848\/revisions\/2853"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2850"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}