exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HyperStrike Integration With Snap Fitness SSO Bypass

HyperStrike Integration With Snap Fitness SSO Bypass
Posted Dec 22, 2010
Authored by Mark Stanislav

HyperStrike Integration with Snap Fitness suffers from a SSO bypass vulnerability.

tags | exploit, bypass
SHA-256 | 151c41eb78f81331e9e4f12c66b7172b40a1360b1e03dc20e72be82940004f5e

HyperStrike Integration With Snap Fitness SSO Bypass

Change Mirror Download
HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability
Mark Stanislav - mark.stanislav@gmail.com


I. DESCRIPTION
---------------------------------------
A vulnerability existed within the single sign-on (SSO) integration of HyperStrike and Snap Fitness websites. By altering the defined 'memberid' parameter passed within the site-integration query string, varied amounts of member data could be retrieved depending on the account activation status and HyperStrike usage of a given Snap Fitness member.


II. ACCOUNTS AFFECTED
---------------------------------------
90,000+


III. VULNERABILITY VERIFICATION PROCESS
---------------------------------------
* Script #1: Starting at an arbitrary number, I looped through 10,000 sequential 'memberid' values for Snap Fitness (gymid '21'). Roughly 2,700 accounts existed in either an 'activated' or 'unactivated' state.

* Script #2: Starting at a different arbitrary number, I looped through 1,000 sequential 'memberid' values for Snap Fitness. The specific purpose of this loop was to look for only activated accounts. Of the 1,000 'memberid' values checked, 76 accounts were activated. Based on simple regular expression checks, I verified that one user's profile had a picture, eight users had listed phone numbers, and at least one user had a medical questionnaire filled-out. This is all in addition to standard PII available.


IV. POTENTIAL ACCOUNT DATA AT RISK
---------------------------------------
* Activated Account: Photo, First Name, Last Name, Date of Birth, Gender, E-Mail Address, Phone Number, Height, Weight, Body Fat %, Timezone, Gym Membership Company, Workout Schedule, and Medical History (blood pressure issues, heart problems, recent surgery, pregnancy, diabetes, etc.)

* Unactivated Account: First Name, Last Name, Date of Birth, Gender, and E-Mail Address


V. VULNERABLE URL FORMAT
---------------------------------------
http://www.hyperstrike.com/diff/partners/snap/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]


VI. NOTES
---------------------------------------
* Because Snap Fitness apparently provides HyperStrike with customer data before a customer agrees to sign-up with HyperStrike, customers of Snap Fitness had their personal details (as explained above for 'Unactivated Account') available to be taken without ever agreeing to use HyperStrike services or even know about the company.

* All account data collected during the vulnerability verification process was erased and at no time was any Snap Fitness/HyperStrike customer's data given to any individual.

* There is no known and/or reported breach of customer information. Ideally I was the first and only person to find this issue before it was a threat to customer privacy.

* No previous session, cookie, authentication, authorization, or otherwise was required to retrieve private member data. No 'spoofing' or 'hacking' occurred whatsoever.

* As an aside, the language towards me from Michael Greeves (and CC: inclusion of legal staff) became accusatory rather than appreciative after a few e-mails. The notification letter shown below that was presented to members treats the situation seemingly as a breach by some nefarious person rather than a disclosure by a responsible IT professional. Needless to say, not everyone knows how to say 'thanks for preventing a huge lawsuit' very well it would seem ;)


VII. REMEDIATION
---------------------------------------
The previously implemented single sign-on wasn't configured properly for the integration between Snap Fitness and HyperStrike. After notice was given by HyperStrike that the issue was remediated, I verified that the previous SSO bypass was no longer functional.


VIII. REFERENCES
---------------------------------------
http://www.hyperstrike.com/
http://www.snapfitness.com/
http://www.uncompiled.com/2010/12/hyperstrike-integration-with-snap-fitness-sso-bypass-vulnerability/


IX. TIMELINE
---------------------------------------
08/29/2010 - Vulnerability found and verified
08/29/2010 - E-mail to HyperStrike disclosing the vulnerability and asking for a response to start the remediation process
09/07/2010 - Follow-up call to HyperStrike after not receiving a response in the prior days
09/07/2010 - Call from Michael Greeves, CEO of HyperStrike to discuss the vulnerability; promised 24-hour follow-up regarding remediation
09/07/2010 - Resent original disclosure e-mail + complete vulnerability report to Michael
09/17/2010 - Follow-up e-mail to Michael with regard to the remediation status of the vulnerability
09/17/2010 - Response from Michael stating a call was to be occurring with Snap Fitness that day about the issue
09/21/2010 - Response from Michael stating that they are working to remedy the issue and asking me to delete all customer data
09/22/2010 - E-mail sent to Michael reassuring him that as my report nearly a month prior stated, no customer data was kept
09/23/2010 - Response from Michael stating that the vulnerability had been fixed & verification of that statement by my own testing
09/23/2010 - Inquiry to Michael asking as to the method and timeline of customer notification for the situation
09/30/2010 - Response from Michael stating that Snap Fitness corporate was reviewing the proposed notification e-mail
10/18/2010 - Inquiry to Michael asking if the customer notification ever occurred as I had never received it
10/18/2010 - Response from Michael stating that it had indeed gone out to "over 90,000 members"
10/18/2010 - Request to Michael for a copy of the aforementioned customer notification
10/18/2010 - Response from Michael stating that I should have received it but that he would check the database at the end of the week and respond
10/28/2010 - Follow-up with Michael to receive a copy of the customer notice
10/28/2010 - Michael provided a copy of the disclosure e-mail that was sent to members
12/21/2010 - Public disclosure of incident


X. NOTIFICATION SENT TO CUSTOMERS
---------------------------------------
Dear Online Training Center user,

We're contacting you today to inform you about a recent security issue regarding our Snap Fitness member database, which includes users of www.mysnapfitness.com. An unauthorized individual accessed a small number of accounts, which included our members' personal information; however no membership billing or financial information was accessed. We have since addressed the issue and remedied the situation.

Furthermore, the safety and protection of our members' information is our top priority, which is why we would like to encourage you to change your password for extra security.

We apologize for the intrusion, and we would like to assure you that we are reviewing and revising our procedures and practices in order to prevent an incident like this from happening again. If you have any additional questions, please contact us atinfo@hyperstrike.com.

Thank you once again for your business and continued support.

Sincerely,

Michael J Greeves
Founder & CEO
HyperStrike Inc.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close