lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <52296F94-6CA4-4B8B-903E-1FB29B229D5D@gmail.com>
Date: Tue, 21 Dec 2010 14:40:45 -0500
From: Mark Stanislav <mark.stanislav@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: HyperStrike Integration with Snap Fitness,
	SSO Bypass Vulnerability

HyperStrike Integration with Snap Fitness, SSO Bypass Vulnerability
Mark Stanislav - mark.stanislav@...il.com


I. DESCRIPTION
---------------------------------------
A vulnerability existed within the single sign-on (SSO) integration of HyperStrike and Snap Fitness websites. By altering the defined 'memberid' parameter passed within the site-integration query string, varied amounts of member data could be retrieved depending on the account activation status and HyperStrike usage of a given Snap Fitness member.


II. ACCOUNTS AFFECTED
---------------------------------------
90,000+


III. VULNERABILITY VERIFICATION PROCESS
---------------------------------------
* Script #1: Starting at an arbitrary number, I looped through 10,000 sequential 'memberid' values for Snap Fitness (gymid '21'). Roughly 2,700 accounts existed in either an 'activated' or 'unactivated' state.

* Script #2: Starting at a different arbitrary number, I looped through 1,000 sequential 'memberid' values for Snap Fitness. The specific purpose of this loop was to look for only activated accounts. Of the 1,000 'memberid' values checked, 76 accounts were activated. Based on simple regular expression checks, I verified that one user's profile had a picture, eight users had listed phone numbers, and at least one user had a medical questionnaire filled-out. This is all in addition to standard PII available.


IV. POTENTIAL ACCOUNT DATA AT RISK
---------------------------------------
* Activated Account:  Photo, First Name, Last Name, Date of Birth, Gender, E-Mail Address, Phone Number, Height, Weight, Body Fat %, Timezone, Gym Membership Company, Workout Schedule, and Medical History (blood pressure issues, heart problems, recent surgery, pregnancy, diabetes, etc.)

* Unactivated Account: First Name, Last Name, Date of Birth, Gender, and E-Mail Address


V. VULNERABLE URL FORMAT
---------------------------------------
http://www.hyperstrike.com/diff/partners/snap/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]


VI. NOTES 
---------------------------------------
* Because Snap Fitness apparently provides HyperStrike with customer data before a customer agrees to sign-up with HyperStrike, customers of Snap Fitness had their personal details (as explained above for 'Unactivated Account') available to be taken without ever agreeing to use HyperStrike services or even know about the company.

* All account data collected during the vulnerability verification process was erased and at no time was any Snap Fitness/HyperStrike customer's data given to any individual.

* There is no known and/or reported breach of customer information. Ideally I was the first and only person to find this issue before it was a threat to customer privacy.

* No previous session, cookie, authentication, authorization, or otherwise was required to retrieve private member data. No 'spoofing' or 'hacking' occurred whatsoever.

* As an aside, the language towards me from Michael Greeves (and CC: inclusion of legal staff) became accusatory rather than appreciative after a few e-mails. The notification letter shown below that was presented to members treats the situation seemingly as a breach by some nefarious person rather than a disclosure by a responsible IT professional. Needless to say, not everyone knows how to say 'thanks for preventing a huge lawsuit' very well it would seem ;)


VII. REMEDIATION
---------------------------------------
The previously implemented single sign-on wasn't configured properly for the integration between Snap Fitness and HyperStrike. After notice was given by HyperStrike that the issue was remediated, I verified that the previous SSO bypass was no longer functional.


VIII. REFERENCES
---------------------------------------
http://www.hyperstrike.com/
http://www.snapfitness.com/
http://www.uncompiled.com/2010/12/hyperstrike-integration-with-snap-fitness-sso-bypass-vulnerability/


IX. TIMELINE
---------------------------------------
08/29/2010 - Vulnerability found and verified
08/29/2010 - E-mail to HyperStrike disclosing the vulnerability and asking for a response to start the remediation process
09/07/2010 - Follow-up call to HyperStrike after not receiving a response in the prior days
09/07/2010 - Call from Michael Greeves, CEO of HyperStrike to discuss the vulnerability; promised 24-hour follow-up regarding remediation
09/07/2010 - Resent original disclosure e-mail + complete vulnerability report to Michael
09/17/2010 - Follow-up e-mail to Michael with regard to the remediation status of the vulnerability
09/17/2010 - Response from Michael stating a call was to be occurring with Snap Fitness that day about the issue
09/21/2010 - Response from Michael stating that they are working to remedy the issue and asking me to delete all customer data
09/22/2010 - E-mail sent to Michael reassuring him that as my report nearly a month prior stated, no customer data was kept
09/23/2010 - Response from Michael stating that the vulnerability had been fixed & verification of that statement by my own testing
09/23/2010 - Inquiry to Michael asking as to the method and timeline of customer notification for the situation
09/30/2010 - Response from Michael stating that Snap Fitness corporate was reviewing the proposed notification e-mail
10/18/2010 - Inquiry to Michael asking if the customer notification ever occurred as I had never received it
10/18/2010 - Response from Michael stating that it had indeed gone out to "over 90,000 members"
10/18/2010 - Request to Michael for a copy of the aforementioned customer notification
10/18/2010 - Response from Michael stating that I should have received it but that he would check the database at the end of the week and respond
10/28/2010 - Follow-up with Michael to receive a copy of the customer notice
10/28/2010 - Michael provided a copy of the disclosure e-mail that was sent to members
12/21/2010 - Public disclosure of incident


X. NOTIFICATION SENT TO CUSTOMERS
---------------------------------------
Dear Online Training Center user,

We're contacting you today to inform you about a recent security issue regarding our Snap Fitness member database, which includes users of www.mysnapfitness.com. An unauthorized individual accessed a small number of accounts, which included our members' personal information; however no membership billing or financial information was accessed.  We have since addressed the issue and remedied the situation.

Furthermore, the safety and protection of our members' information is our top priority, which is why we would like to encourage you to change your password for extra security.

We apologize for the intrusion, and we would like to assure you that we are reviewing and revising our procedures and practices in order to prevent an incident like this from happening again. If you have any additional questions, please contact us atinfo@...erstrike.com.

Thank you once again for your business and continued support.

Sincerely,

Michael J Greeves
Founder & CEO
HyperStrike Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ