[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability
- From: Mark Stanislav <mark.stanislav@xxxxxxxxx>
- Date: Tue, 21 Dec 2010 14:40:45 -0500
HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability
Mark Stanislav - mark.stanislav@xxxxxxxxx
I. DESCRIPTION
---------------------------------------
A vulnerability existed within the single sign-on (SSO) integration of
HyperStrike and Snap Fitness websites. By altering the defined 'memberid'
parameter passed within the site-integration query string, varied amounts of
member data could be retrieved depending on the account activation status and
HyperStrike usage of a given Snap Fitness member.
II. ACCOUNTS AFFECTED
---------------------------------------
90,000+
III. VULNERABILITY VERIFICATION PROCESS
---------------------------------------
* Script #1: Starting at an arbitrary number, I looped through 10,000
sequential 'memberid' values for Snap Fitness (gymid '21'). Roughly 2,700
accounts existed in either an 'activated' or 'unactivated' state.
* Script #2: Starting at a different arbitrary number, I looped through 1,000
sequential 'memberid' values for Snap Fitness. The specific purpose of this
loop was to look for only activated accounts. Of the 1,000 'memberid' values
checked, 76 accounts were activated. Based on simple regular expression checks,
I verified that one user's profile had a picture, eight users had listed phone
numbers, and at least one user had a medical questionnaire filled-out. This is
all in addition to standard PII available.
IV. POTENTIAL ACCOUNT DATA AT RISK
---------------------------------------
* Activated Account: Photo, First Name, Last Name, Date of Birth, Gender,
E-Mail Address, Phone Number, Height, Weight, Body Fat %, Timezone, Gym
Membership Company, Workout Schedule, and Medical History (blood pressure
issues, heart problems, recent surgery, pregnancy, diabetes, etc.)
* Unactivated Account: First Name, Last Name, Date of Birth, Gender, and E-Mail
Address
V. VULNERABLE URL FORMAT
---------------------------------------
http://www.hyperstrike.com/diff/partners/snap/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]
VI. NOTES
---------------------------------------
* Because Snap Fitness apparently provides HyperStrike with customer data
before a customer agrees to sign-up with HyperStrike, customers of Snap Fitness
had their personal details (as explained above for 'Unactivated Account')
available to be taken without ever agreeing to use HyperStrike services or even
know about the company.
* All account data collected during the vulnerability verification process was
erased and at no time was any Snap Fitness/HyperStrike customer's data given to
any individual.
* There is no known and/or reported breach of customer information. Ideally I
was the first and only person to find this issue before it was a threat to
customer privacy.
* No previous session, cookie, authentication, authorization, or otherwise was
required to retrieve private member data. No 'spoofing' or 'hacking' occurred
whatsoever.
* As an aside, the language towards me from Michael Greeves (and CC: inclusion
of legal staff) became accusatory rather than appreciative after a few e-mails.
The notification letter shown below that was presented to members treats the
situation seemingly as a breach by some nefarious person rather than a
disclosure by a responsible IT professional. Needless to say, not everyone
knows how to say 'thanks for preventing a huge lawsuit' very well it would seem
;)
VII. REMEDIATION
---------------------------------------
The previously implemented single sign-on wasn't configured properly for the
integration between Snap Fitness and HyperStrike. After notice was given by
HyperStrike that the issue was remediated, I verified that the previous SSO
bypass was no longer functional.
VIII. REFERENCES
---------------------------------------
http://www.hyperstrike.com/
http://www.snapfitness.com/
http://www.uncompiled.com/2010/12/hyperstrike-integration-with-snap-fitness-sso-bypass-vulnerability/
IX. TIMELINE
---------------------------------------
08/29/2010 - Vulnerability found and verified
08/29/2010 - E-mail to HyperStrike disclosing the vulnerability and asking for
a response to start the remediation process
09/07/2010 - Follow-up call to HyperStrike after not receiving a response in
the prior days
09/07/2010 - Call from Michael Greeves, CEO of HyperStrike to discuss the
vulnerability; promised 24-hour follow-up regarding remediation
09/07/2010 - Resent original disclosure e-mail + complete vulnerability report
to Michael
09/17/2010 - Follow-up e-mail to Michael with regard to the remediation status
of the vulnerability
09/17/2010 - Response from Michael stating a call was to be occurring with Snap
Fitness that day about the issue
09/21/2010 - Response from Michael stating that they are working to remedy the
issue and asking me to delete all customer data
09/22/2010 - E-mail sent to Michael reassuring him that as my report nearly a
month prior stated, no customer data was kept
09/23/2010 - Response from Michael stating that the vulnerability had been
fixed & verification of that statement by my own testing
09/23/2010 - Inquiry to Michael asking as to the method and timeline of
customer notification for the situation
09/30/2010 - Response from Michael stating that Snap Fitness corporate was
reviewing the proposed notification e-mail
10/18/2010 - Inquiry to Michael asking if the customer notification ever
occurred as I had never received it
10/18/2010 - Response from Michael stating that it had indeed gone out to "over
90,000 members"
10/18/2010 - Request to Michael for a copy of the aforementioned customer
notification
10/18/2010 - Response from Michael stating that I should have received it but
that he would check the database at the end of the week and respond
10/28/2010 - Follow-up with Michael to receive a copy of the customer notice
10/28/2010 - Michael provided a copy of the disclosure e-mail that was sent to
members
12/21/2010 - Public disclosure of incident
X. NOTIFICATION SENT TO CUSTOMERS
---------------------------------------
Dear Online Training Center user,
We're contacting you today to inform you about a recent security issue
regarding our Snap Fitness member database, which includes users of
www.mysnapfitness.com. An unauthorized individual accessed a small number of
accounts, which included our members' personal information; however no
membership billing or financial information was accessed. We have since
addressed the issue and remedied the situation.
Furthermore, the safety and protection of our members' information is our top
priority, which is why we would like to encourage you to change your password
for extra security.
We apologize for the intrusion, and we would like to assure you that we are
reviewing and revising our procedures and practices in order to prevent an
incident like this from happening again. If you have any additional questions,
please contact us atinfo@xxxxxxxxxxxxxxxx
Thank you once again for your business and continued support.
Sincerely,
Michael J Greeves
Founder & CEO
HyperStrike Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/