Is your gym telling on you? It sure was telling on me and my fellow members. Everything from contact info to pictures to bank account numbers to the time people enter the gym was leaking for a long, long time.
Published: | Mon, September 25, 2017, 07:15 |
Category: |
Security
|
Tags: |
Security Monday
Information leak
XSS
ASP.NET
Images
OWASP 2013 A3
OWASP 2013 A7
|
A fitness center chain consisting of three centers was leaking the members' names, e-mail addresses, phone numbers, pictures, bank account numbers, logs of all visits, etc. They are still running vulnerable server software.
Who: | Energi Treningssenter |
Severity level: | High |
Reported: | April 2017 |
Reception and handling: | Good |
Status: | Partially fixed |
Reward: | A thank you |
Issue: | All kinds of personal info was leaked |
Energi Treningssenter at AskΓΈy is an excellent fitness center. It's modern, big and has all the equipment you want. I used to train there for a while, so I had - and still have - access to the member site where you see your personal details, payment history and full log of your visits.
Some years ago I noticed that the picture taken for the key card to the gym was publicly available. Just knowing the URL you could iterate through the images of all the members without having to be logged in. I never bothered to report it back then. When I started considering this article series I remembered the issue with the pictures and wondered if my personal data was safe. The whole site had much of the feel as the completely vulnerable PHP site I wrote about earlier on.
I logged in to the gym's site while having the browser development tools open. I looked for anything out of the ordinary in the HTTP calls and in the source code.
The first thing that hit me is that all URLs are http and not https. Even when submitting the form with username and password there is no encryption.
I spotted three links to an ASP that was hidden with CSS: display: none;
The ASP looked like it let you change database fields for any user, but from failing to even change my own data I'm not sure what the deal was. However, this page was vulnerable for XSS. A good opportunity to steal the session cookie which seems to work perfectly fine across IP addresses. Or one could just let the user send his or her personal data directly.
The source also revealed the use of some kind of "add on" used for file upload. Is it possible to upload code that can be executed? I hope not. I wasn't able to make tell for sure, but there was indeed web forms for uploading all kinds of files.
There seems to be three different servers involved serving the site. Looking at the headers and the default error pages reveals outdated server software that have known vulnerabilities. However, as I've stated in the background for these posts, that is out of scope for now.
When you log in you will be told if the username you entered exists or not. If you use the "Forgot password" function you're told if you're entering a known e-mail address or not. And the e-mail you receive is not for resetting the password, it just contains both the username and the password. Fail x 3.
The page with all the personal details doesn't have any IDs or anything, but that doesn't mean that I couldn't try adding it. I tried account.asp?id=<some ID>, and voilΓ , I got access to other users' personal details. The ID was an incremental integer. Iterating the ID one could seemingly get everyone's name, e-mail address, phone number, bank account number, payment history and full visit log.
A lot of personal data of previous and current members was leaked:
In addition there are quite a few issues that's probably still making the customer data vulnerable:
I believe that these issues have been around for many years.
At night I sent an e-mail telling about the information leak and general concerns about the solution.
Just 1,5 hour later I got a reply telling that the issue was forwarded to the right body.
I received an e-mail telling that the vendor of the system had fixed the issue. I see that they have removed the issue with the information leak, but everything else still is the same.
This is yet another example of our personal data in the wild. There are countless security vulnerabilities out there. You should assume that anyone who wants to, knows everything about you and everything you do. And companies that have these types of vulnerabilities won't tell you when they become aware of them.
And to start connecting the dots between the cases I'm representing; do you remember two weeks ago where you could see the bank account balance using just the bank account number? Well, wasn't it nice that this case gave you that bank account number?
Looking at the old versions of the software running on these sites I would definitely guess that the data is still vulnerable.