The researchers discovered several flaws in the Wodify fitness platform that allow an attacker to modify user workouts. Over 5,000 gyms use the platform all around the world.
Due to the nature of the issues, it is possible that the sensitive data of users, including personal and financial details, could be at risk.
Wodify is a fitness platform that enables users to manage their membership, track their fitness goals, and improve their performance.
According to cybersecurity company Bishop Fox researchers, flaws in the Wodify platform could allow hackers to tamper with users’ personal information and the gym’s financial records.
The Wodify platform is prone to several security issues, which, although require authentication, can lead to serious implications, such as theft of funds.
“While modifying the data, an attacker could insert malicious stored JavaScript payloads, leading to XSS. This could be leveraged to hijack a user’s session, steal a hashed password, or the user’s JWT through the Sensitive Information Disclosure vulnerability,” said Dardan Prebreza.
According to a researcher, an attacker could easily modify the payment settings of gym members to steal their money.
One of the issues, an insufficient authorization bug, could allow an attacker to modify the data stored in Wodify by exposing users to unauthorized configurations. This issue was discovered by researchers after getting consent from a WoDify customer to test it out.
Exploiting this vulnerability involves inserting malicious code via cross-site scripting (XSS) attacks. An attacker could add JavaScript payload in the target user’s workout comment, trigger an XSS vulnerability, and modify all Wodify users’ workout data. With this type of access, hackers could easily wipe a user’s entire history, which would have a negative effect on an athlete’s training sessions.
The attackers could exploit XSS vulnerabilities for running malicious code to gain administrative access, hijack sessions, and expose sensitive information.
“If an attacker gained administrative access over a specific gym in this manner, they would be able to make changes to payment settings, as well as access and update other users’ personal information,” said Dardan Prebreza.
After finding several bugs in the platform, the researcher notified the company about the issues half a year ago, and the fixes are yet to be available.
“It took almost two months until they acknowledged the vulnerabilities and only by directly reaching out to their CEO via email, which then put me in touch with their new head of technology back in April. They were supposed to release the new/patched version in May, which then got pushed back several times. Last time they replied to us, they mentioned August 5th as the final release date,” the researcher said.
Image: www.process.st