Personal trainers urged to exercise caution over alleged security flaws

Zero-day vulnerabilities in Wodify fitness management platform allow attackers to siphon gym payments, extract member data

Security researchers have uncovered three vulnerabilities in fitness and gym management application Wodify that could allow an authenticated user to modify production data and extract sensitive personal information.

Wodify is used by more than 5,000 gyms around the world to manage their business. It is widely used with CrossFit boxes as a performance tracking app, mostly in the US, as well as for processing membership payments.

However, according to researchers from Bishop Fox, a combination of three vulnerabilities, rated high risk, could allow an attacker to read and modify data – and potentially tamper with payment settings.

The flaws are all still unpatched, the researchers claim, following an unsuccessful coordinated disclosure process that has been dragging on for half a year.

(Gym) session hijack

First, an insecure direct object references (IDOR) vulnerability allowed the workouts of all users of the Wodify platform to be read and modified, the Bishop Fox team explains in a technical research post out today (August 13).

Because this access wasn’t limited to a single gym, box, or tenant, all entries globally could be viewed and altered.

This could allow an attacker to insert malicious stored JavaScript payloads, opening the door to cross-site scripting (XSS) exploits. The attacker could then hijack a user’s session, steal a hashed password, or steal the user’s JSON Web Token (JWT).

YOU MIGHT ALSO LIKE Data breach at US waste management firm exposes employees’ healthcare details

Attackers could even siphon payments to themselves, Dardan Prebreza, senior security consultant at Bishop Fox and the lead researcher behind the advisory, tells The Daily Swig.

“The financial damage could be affecting the gym or CrossFit boxes’ owners, as compromising their accounts would allow the attacker to eventually update payments settings, and thus have members pay the attacker instead of the legitimate owners,” he says.

Disclosure pushbacks

The Bishop Fox team first discovered the issue on January 7, and contacted Wodify on 12 February. A fix was apparently promised for various dates, most recently August 5.

“It has been very difficult to get in touch with them. It took almost two months until they acknowledged the vulnerabilities, and only by directly reaching out to their CEO via email, which then put me in touch with their new head of technology back in April,” says Prebreza.

Read more of the latest security vulnerability news

“They were supposed to release the new patched version in May, which then got pushed back several times. Last time they replied to us, they mentioned August 5 as the final release date.”

The Daily Swig has approached Wodify for comment, and will update as and when the company responds.

Meanwhile, warns Bishop Fox in its advisory: “Wodify has not confirmed a patch yet. We advise Wodify customers to reach out to Wodify.”

RECOMMENDED Top hacks from Black Hat and DEF CON 2021