Vulnerabilities in platform fitness application management can allow hackers to violate user accounts in dozens of such applications, even if the two-factor authentication mechanism (2FA) is activated.
The fitness application management platform is Physical, based in Israel and allows customers to handle subscriptions to apps and gyms.
Ο Sahar Avitan, consultant to the cybersecurity company Security Joes, based in Israel, discovered that approx 80 applications are based on the Physical API to ensure easier access in sports clubs and available facilities.
There are about 70 Physical applications in the "Health and fitness" category of the Google Play Store, many of which have been added in recent days. Some of the older applications have over 5.000 downloads and all together have been installed on at least 240.000 Appliances.
Avitan started analyzing the fitness app management platform after resetting the password for account of EZ Shape, a fitness app he used. Then he noticed that he received a weak 4-character code.
The researcher noticed that the password reset process had different results for phone numbers in the database data in relation to those that do not exist.
This allowed him to better understand the whole mechanism, which allows him to bypass security checks and list users. These information allowed him to learn the phone numbers that users had set to receive the OTP password via SMS, when they confirm the reset.
In addition, another bug in the fitness app management platform made it possible brute force attack on OTP numbers (the process is completed in about a minute) and sending them to the Fizikal API, before the legal one user receive the notification.
According to Security Joes, the OTP verification process was not protected by an anti-automation mechanism or captcha which would prevent brute-force attack attempts.
Avitan sent the OTP code to the server of the fitness application management platform and received a unique TokenID, necessary to create a new password. It then sent the password to the server in HTTP headers along with a new password.
Breaking an account on some of the applications Fizikal Gym not only allows an attacker to lock the legitimate user or cancel his subscription, but gives him access to personal user information:
- Telephone Number
- Full name
- Date of birth
- email address
- Postal address
- ID number
Ido Naor, founder and CEO of Security Joes, said that a malicious hacker could exploit these vulnerabilities to obtain information from other users.
According to the researchers, Fizikal and CERT in Israel received a full report on the findings and acted quickly to address the issues.