Wodify's gym management web application is not as secured as you think, according to a cybersecurity expert.
The system gives a hacker the ability to download the user's workout data, personal information, and even their financial information.
Wodify's Gym Management Weak Security
The news came three months after researchers revealed that there are vulnerabilities detected on Modern AMD.
Google was also under fire for the unfixed vulnerabilities of its Windows 10.
Wodify's gym management web app is commonly used among CrossFit boxes in the United States and other countries. The software is currently used by more than 5,000 gyms for billing and class schedules, according to ZDNet.
Dardan Prebreza, the senior security consultant for Bishop Fox, explained in a report that a slate of vulnerabilities allowed reading and modifying the workouts of the users who are using Wodify.
Prebreza added that through the attack, the access was not limited to a single gym, so it was possible to enumerate all entries and modify them. He noted that a hacker could hijack a user's session, change their workout data, steal their password or their JWT because of the vulnerability.
Risk of Hacking and Vulnerabilties
Prebreza also stated that the vulnerabilities could affect the reputation and business of Wodify because it could allow anyone to modify all of the production data and extract sensitive PII.
Also, compromising administrative gym user accounts could allow any hacker to change the user's payment settings. This could have a direct financial impact on the user, and the hacker could get paid by the gym members instead of the legitimate gym owners.
An authenticated hacker could read and modify the workout data of the user, extract PII, and gain access to administrative accounts that stores all of the financial data of the app's users.
The vulnerability risk level of the app is marked high because it could cause reputational damage and severe financial damage to Wodify gyms that could have their payment settings tampered with.
Wodify refused to comment about the vulnerabilities of its app.
The report done by Prebreza includes a timeline that shows the vulnerabilities were discovered on Jan. 7 before Wodify was contacted about it on Feb. 12.
The app acknowledged the vulnerabilities on Feb. 23 but refused to respond to further requests, according to PortSwigger.
Fixing the Vulnerability
Ameet Shah, Wodify CEO, was contacted, and he connected the Bishop Fox team with the company's head of technology, who immediately held meetings with company executives throughout April to find ways to fix the issue.
On Apr. 19, Wodify stated that the vulnerabilities in their system would be fixed within three months, but the company repeatedly changed the patch date for the issues.
First, the company promise to release a patch in May, but they changed it to June 11 before changing it again to June 26.
The company did not respond to Bishop Fox for a month, and they finally admitted that they changed the patch date again to Aug. 5.
Almost six months have passed since the vulnerabilities were detected, and Bishop Fox stated that they told the gym management company that they would publicly disclose the issue on Aug. 6. Since nothing was done, Bishop Fox released the issue to the public on Aug. 13.
Wodify has not confirmed if it already fixed the issues, and Bishop Fox urged users to contact the company for confirmation.
Related Article: IoMT Devices: Healthcare Systems Should Be Aware of Vulnerabilities--Here's How to Protect Them
This article is owned by Tech Times
Written by Sophie Webster
