Security researchers have uncovered three vulnerabilities in fitness and gym management application Wodify that could allow an authenticated user to modify production data and extract sensitive personal information.
Wodify is used by more than 5,000 gyms around the world to manage their business. It is widely used with CrossFit boxes as a performance tracking app, mostly in the US, as well as for processing membership payments.
However, according to researchers from Bishop Fox, a combination of three vulnerabilities, rated high risk, could allow an attacker to read and modify data – and potentially tamper with payment settings.
The flaws are all still unpatched, the researchers claim, following an unsuccessful coordinated disclosure process that has been dragging on for half a year.
(Gym) session hijack
First, an insecure direct object references (IDOR) vulnerability allowed the workouts of all users of the Wodify platform to be read and modified, the Bishop Fox team explains in a technical research post out today (August 13).
Because this access wasn’t limited to a single gym, box, or tenant, all entries globally could be viewed and altered.
This could allow an attacker to insert malicious stored JavaScript payloads, opening the door to cross-site scripting (XSS) exploits. The attacker could then hijack a user’s session, steal a hashed password, or steal the user’s JSON Web Token (JWT).
Attackers could even siphon payments to themselves, Dardan Prebreza, senior security consultant at Bishop Fox and the lead researcher behind the advisory, tells The Daily Swig.
“The financial damage could be affecting the gym or CrossFit boxes’ owners, as compromising their accounts would allow the attacker to eventually update payments settings, and thus have members pay the attacker instead of the legitimate owners,” he says.
Disclosure pushbacks
The Bishop Fox team first discovered the issue on January 7, and contacted Wodify on 12 February. A fix was apparently promised for various dates, most recently August 5.
“It has been very difficult to get in touch with them. It took almost two months until they acknowledged the vulnerabilities, and only by directly reaching out to their CEO via email, which then put me in touch with their new head of technology back in April,” says Prebreza.
“They were supposed to release the new patched version in May, which then got pushed back several times. Last time they replied to us, they mentioned August 5 as the final release date.”
The Daily Swig has approached Wodify for comment, and will update as and when the company responds.
Meanwhile, warns Bishop Fox in its advisory: “Wodify has not confirmed a patch yet. We advise Wodify customers to reach out to Wodify.”
Source: https://portswigger.net/daily-swig/unpatched-vulnerabilities-in-wodify-fitness-management-platform-allow-attackers-to-steal-gym-payments-extract-member-data