The researchers discovered several flaws in the Wodify fitness platform that allow an attacker to modify user workouts. Over 5,000 gyms use the platform all around the world.
Due to the nature of the issues, it is possible that the sensitive data of users, including personal and financial details, could be at risk.
Wodify is a fitness platform that enables users to manage their membership, track their fitness goals, and improve their performance.
According to cybersecurity company Bishop Fox researchers, flaws in the Wodify platform could allow hackers to tamper with users’ personal information and the gym’s financial records.
The Wodify platform is prone to several security issues, which, although require authentication, can lead to serious implications, such as theft of funds.
According to a researcher, an attacker could easily modify the payment settings of gym members to steal their money.
One of the issues, an insufficient authorization bug, could allow an attacker to modify the data stored in Wodify by exposing users to unauthorized configurations. This issue was discovered by researchers after getting consent from a WoDify customer to test it out.
The attackers could exploit XSS vulnerabilities for running malicious code to gain administrative access, hijack sessions, and expose sensitive information.
“If an attacker gained administrative access over a specific gym in this manner, they would be able to make changes to payment settings, as well as access and update other users’ personal information,” said Dardan Prebreza.
After finding several bugs in the platform, the researcher notified the company about the issues half a year ago, and the fixes are yet to be available.
“It took almost two months until they acknowledged the vulnerabilities and only by directly reaching out to their CEO via email, which then put me in touch with their new head of technology back in April. They were supposed to release the new/patched version in May, which then got pushed back several times. Last time they replied to us, they mentioned August 5th as the final release date,” the researcher said.