Friday, October 23, 02:19
Home security Fitness application management platform exposes user data

Fitness application management platform exposes user data

Vulnerabilities in platform fitness application management can allow hackers to violate user accounts in dozens of such applications, even if the two-factor authentication mechanism (2FA) is activated.

The fitness application management platform is Physical, based in Israel and allows customers to handle subscriptions to apps and gyms.

Many vulnerabilities affecting the Fizikal platform could be used to bypass controls security, list them users, bruteforce attacks and access a user's account.

Brute-force attacks

Ο Sahar Avitan, consultant to the cybersecurity company Security Joes, based in Israel, discovered that approx 80 applications are based on the Physical API to ensure easier access in sports clubs and available facilities.

There are about 70 Physical applications in the "Health and fitness" category of the Google Play Store, many of which have been added in recent days. Some of the older applications have over 5.000 downloads and all together have been installed on at least 240.000 Appliances.

Avitan started analyzing the fitness app management platform after resetting the password for account of EZ Shape, a fitness app he used. Then he noticed that he received a weak 4-character code.

The researcher noticed that the password reset process had different results for phone numbers in the database data in relation to those that do not exist.

fitness applications

This allowed him to better understand the whole mechanism, which allows him to bypass security checks and list users. These information allowed him to learn the phone numbers that users had set to receive the OTP password via SMS, when they confirm the reset.

In addition, another bug in the fitness app management platform made it possible brute force attack on OTP numbers (the process is completed in about a minute) and sending them to the Fizikal API, before the legal one user receive the notification.

According to Security Joes, the OTP verification process was not protected by an anti-automation mechanism or captcha which would prevent brute-force attack attempts.

Avitan sent the OTP code to the server of the fitness application management platform and received a unique TokenID, necessary to create a new password. It then sent the password to the server in HTTP headers along with a new password.

Breaking an account on some of the applications Fizikal Gym not only allows an attacker to lock the legitimate user or cancel his subscription, but gives him access to personal user information:

  • Telephone Number
  • Full name
  • Date of birth
  • email address
  • Postal address
  • ID number

Ido Naor, founder and CEO of Security Joes, said that a malicious hacker could exploit these vulnerabilities to obtain information from other users.

According to the researchers, Fizikal and CERT in Israel received a full report on the findings and acted quickly to address the issues.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


How to remove Edge tabs from Alt + Tab in Windows 10

Starting with the October 2020 update, Windows 10 now displays Microsoft Edge browser tabs in the Alt + Tab task ...

Patient information is held for ransom by hackers

A company offering psychological support and psychotherapy services to thousands of patients in Finland has fallen victim to hackers. As the company stated, ...

ESafety believes that social media authentication would not be practical

Australian eSafety Commissioner Julie Inman-Grant has dismissed the practice of verifying users' identities on social media.

First beta version of the "1Password" application for Linux

One and a half months after the first rumors about the release of the 1Password application for the Linux desktop, the co-founder of Dave Teare announced now ...

The price of Bitcoin skyrockets after PayPal adds cryptocurrency

The price of Bitcoin reached a very high record on Wednesday, after the announcement of PayPal for the integration of cryptocurrency in the online ...

Dr Reddy is closing its laboratories worldwide following a data breach

The pharmaceutical company Dr Reddy 's Laboratories (DRL) was forced to close its laboratories worldwide, after a data breach that ...

PayPal lets users use cryptocurrency

PayPal on Wednesday announced a new feature that will allow users to buy, store and sell cryptocurrency.

Activists are developing face recognition technology to reveal the identities of police officers

In early September, Portland, Oregon City Council held a virtual meeting to consider legislation that ...

Tesla share rises almost 5%

Tesla's Elon Musk released the results for the third quarter of 2020 on Wednesday. The share rose almost 5% on ...

Account Takeover Attacks: How to Avoid Them?

Account Takeover (ATO) attacks are a form of theft, often used by criminals. The attackers are trying to break into accounts ...