The Israeli management platform Fizikal, used by gyms and sports clubs to manage subscriptions and class registrations on their apps, has significant vulnerabilities in the user authentication process. The vulnerabilities allow for attackers to bypass security checks, enumerate users, brute-force the one-time password (OTP) for logging in, and get access to a user’s account. Security researcher Sahar Avitan from Security Joes began looking into the app after he reset his password for his EZ Shape account, which uses Fizikal, and he received a weak four character password. He also noticed he was able to send a password reset request more than three times in a row, although most other sites will cause the account to be blocked after the third request. A user enumeration process was then used by the researcher to locate usernames by checking numbers and running all possible phone numbers. Instead of having to receive the text message that was sent with an OTP to a number that had an account, Avitan was able to run a script to brute-force guess the right four-digit number, which Avitan said only took him one minute. This allowed for him to receive the ID Token for the account and change the password remotely, taking over the account. If this process was followed by an attacker, they would be able to access information such as phone number, full name, date of birth, email address, postal address, and ID number for any user of any of the fitness apps that make use of Fizikal’s services. Fizikal and CERT were notified of the vulnerability and began efforts to repair it.
Companies that create apps based on third-party services should verify the security controls that are in place to prevent password reset abuse. If a password reset requires only a four-digit number, it is important to protect the system from automated guessing by locking out accounts after a few failed attempts. Although this vulnerability was responsibly disclosed by a researcher and is being remediated, users of fitness apps that make use of Fizikal should be aware that if they received a password reset code in a text message when they did not initiate the process, it is possible that an attacker gained access to their account information.