Posted on August 16, 2021 at 5:18 PM
Wodify Gym Management App Exposed for Unpatched Vulnerabilities
A recent cybersecurity study has stated that there are vulnerabilities in the Wodify gym management application. The study revealed that the app allows hackers to access user information such as personal data, workout data and even access their financial records.
Security Weakness in App
Weaknesses in user systems have become a prevalent thing that exposes users to vulnerabilities and information theft. Three months before the expose on Wodify, weaknesses were detected on the Modern AMD systems.
Google has also been exposed to vulnerabilities in its systems. The company was recently criticized for not fixing weaknesses on Windows 10, which exposed many global users to prying eyes and information theft.
The Wodify gym management web app is available on CrossFit boxes in the United States. The app is also available for use in other countries. A report by ZDNet stated that currently, over 5000 gyms use the application for purposes such as billing and making class schedules.
According to Dardan Prebreza, a senior security consultant at Bishop Fox, the vulnerabilities present in the Wodify systems allowed users to access data and change workout schedules for users, hence disrupting routines for those using Wodify.
Prebreza also added that the attack did not just affect users on one gym. This made it possible for the hacker to copy all the entries made on the app and change them. Prebreza also noted that the hacker was able to hijack user sessions. By doing so, the hacker could alter the workout data, access login credentials such as passwords. This exposed user data to hackers.
The report also stated that the vulnerabilities on the systems had a devastating effect on the reputation of Wodify. Besides compromising users, the hackers could also exploit the vulnerability to alter production data and extract sensitive information. This double-sided exploitation posed a risk to both sides of the team.
In addition, compromising the accounts of gym users also enabled the hackers to alter the payment settings. This was also a major vulnerability on the system because the hacker could alter the payment settings to receive payments from gym members instead of the money going to the gym owners.
The hacker could also gain access to information, process it and change the workout information. They could also gain access to administrators’ accounts and store all the financial data in user applications. This gave them total control of the workout sessions.
The research also marked the vulnerability as high risk because of its devastating effects. It had a detrimental reputation to the operations of Wodify and imposed great financial harm to both users and the company because hackers could access financial systems.
Despite the effects and extent of these attacks, Wodify did not comment on the matter, nor did the company issue a statement on how it would fix the said vulnerability. Prebreza’s report states that the Wodify vulnerability was uncovered on January 7, but the company was made aware of the matter on February 12.
The Wodify app stated the vulnerability on February 23, but according to PortSwigger, the firm did not give further statements upon requests.
Working on the Vulnerability
After the vulnerability was discovered, the responsible teams contacted the CEO of Wodify, Ameet Shah, who also teamed up with the head of technology at Bishop Fox. Company executives were involved in meetings held within April to find ways to fix the matter.
On April 19, Wodify issued a statement stating that the discovered vulnerability would be fixed in three months. However, the firm failed to keep these deadlines, but instead, it has constantly pushed the patch date for the vulnerability, leaving users exposed.
The company had initially given May as their patch date. However, this later changes to June 11 before it was later changed to June 26. The company also failed to issue responses to Bishop Fox. They later stated that the patch date was pushed again to August 5.
Bishop Fox later reached out to Wodify after failing to implement the patch, as earlier stated on August 6. The security firm stated that since Wodify had failed to work on the security issue, the vulnerability would be disclosed to the public. Bishop Fox finally informed the public on the matter on August 13.
On the other hand, Wodify has also failed to state if the vulnerability has already been fixed. Bishop Fox also urged Wodify users to get in touch with the firm to get confirmation on the matter and progress on when the issue would be fixed.