Researchers Discover Vulnerabilities in Wodify Gym Management Web Application Used with CrossFit


A cybersecurity researcher has discovered several new vulnerabilities in Wodify’s gym management web application that gives an attacker the ability to extract workout data, personal information, and even financial information.

Wodify’s gym management web app is widely used among CrossFit boxes in the United States and other countries to help them grow taller. The software is used in over 5,000 gyms for things like class scheduling and billing.

But Dardan Prebreza, senior security consultant for Bishop Fox, explained in a report that a list of vulnerabilities “made it possible to read and modify the workouts of all users of the Wodify platform.”

Thanks to the attack, access “was not limited to a single gym / box / tenant, so it was possible to list all entries globally and edit them,” added Prebreza, noting that an attacker could hijack a user’s session, steal a hashed password, or the user’s JWT via the Sensitive Information Disclosure Vulnerability.

“So a combination of these three vulnerabilities could present a serious business and reputational risk to Wodify, as it would allow an authenticated user to modify all of their production data, but also extract sensitive personal information,” Prebreza said. .

Additionally, compromising the gym’s administrative user accounts could allow an attacker to change payment settings and thus have a direct financial impact, as the attacker could potentially be paid by gym members instead of or of the legitimate owners of the gym, the attacker could read and modify all training data of other users, extract personal information and possibly access administrative accounts for the purpose of financial gain.

Prebreza rated the level of vulnerability risk as high as it could cause serious reputational damage and financial ramifications for gyms and Wodify boxes that could have their payment settings altered.

Wodify did not respond to ZDNet request comments on vulnerabilities.

Prebreza’s report includes a timeline showing the vulnerabilities discovered on January 7 before Wodify was contacted on February 12. Wodify acknowledged the vulnerabilities on February 23 but did not respond to further inquiries.

Wodify CEO Ameet Shah was contacted and he put the Bishop Fox team in touch with Wodify’s chief technology officer, who held meetings with the company throughout April to solve problems.

On April 19, Wodify confirmed that the vulnerabilities would be fixed within 90 days but, from then on, repeatedly pushed back the patch date for the issues. First, the company made a commitment to release a fix in May, but pushed it back to June 11 before pushing it back to June 26.

Wodify did not respond to Bishop Fox for a month, admitting they were pushing the patch back to August 5.

More than six months have passed since the vulnerabilities were discovered, Bishop Fox said they told Wodify they would publicly disclose the vulnerabilities on August 6, only to release the report on August 13.

Wodify has yet to confirm if a fix actually exists, and Bishop Fox has urged customers to get in touch with the company.

“The Wodify application has been affected by insufficient authorization checks, allowing an authenticated attacker to disclose and modify the training data of any other user on the Wodify platform,” explained Prebreza.

“The sample data change in the report was done with consent on a collaborator’s account, and the proof of concept payload has been removed as a result of the screenshot. However, the possibility modifying the data means that an attacker could modify all training results and insert code to attack other Wodify users, including administrators of instances or gyms. “

According to the study, vulnerabilities ranged from insufficient authorization checks to disclosure of sensitive information and stored cross-site scripts, which can be exploited in other attacks.

While attackers could alter all workout data, profile photos, and names of Wodify users, the attack also allows malicious code to be inserted that could attack other Wodify users, including including gymnasium administrators.

Prebreza said the Wodify application was vulnerable to four instances of stored cross-site scripting, one of which “allowed an attacker to insert malicious JavaScript payloads into training results.”

“Any user who viewed the page containing the stored payload would execute JavaScript and perform actions on behalf of the attacker. as well as accessing and updating the personal information of other users, ”noted Prebreza.

“Alternatively, an attacker could create a payload to load an external JavaScript file in order to perform actions on behalf of the user. For example, the payload could change a victim’s email address and take control of the account by resetting the password did not require providing the current password). An attacker could also exploit the Sensitive Information Disclosure vulnerability to retrieve a hashed password or JWT (that is, session token) from a victim. “

Erich Kron, a security awareness advocate at KnowBe4, said this was an unfortunate case of an organization not taking a vulnerability disclosure seriously.

“While the initial idea of ​​simply erasing someone’s workout history may seem trivial to many, the fact that an attacker could gain access to the account and associated information, possibly including payment methods and personal information, is a real problem, ”Kron said.

“Even training information can be sensitive if the wrong person uses it to find role models. For example, the days and times that a CEO of an organization typically determines and uses them for malicious purposes. Organizations that create software should always have a process in place to deal with reported vulnerabilities like this and should take them seriously. “

Leave A Reply

Your email address will not be published.