The details of a patched vulnerability in a popular mobile fitness application have been disclosed three months after a fixed was released. The flaw could have allowed a user to fetch the personal profile of another registered app user.
MyFitnessPal deployed a fix on June 26 for a privacy flaw in an undocumented API that was reported two days earlier by Randy Westergren Jr., a software developer at XDA Developers. Bigger picture, this is more evidence of mobile applications extending their reach when it comes to consuming a user’s personal and device information.
Fitness, health and medical mobile applications, in particular, have been hammered by privacy experts and called on the carpet by the U.S. Federal Trade Commission for their thirst for consumers’ personal information. Apps that count calories, offer diet and exercise advice, and track fitness efforts consume an individuals’ data in order return feedback and suggestions. Yet it’s unclear in many cases how well this data is secured and how it’s shared, especially since it’s not stored by health practitioners or insurance agencies and falls outside the regulatory purview of the Health Insurance Portability and Accountability Act (HIPAA).
MyFitnessPal’s faux pas was more of a coding error resulting in an insecure direct object reference where anyone who was logged in was able to request and access any profile by manipulating the User ID parameter in the request, Westergren said.
“The vulnerability existed because the application was insecurely handling the request, i.e., not verifying the requestor has permission to view it,” Westergren said, adding that an attacker could learn a host of information about a user, such as an email address or birthdate, that could leveraged into further attacks. “This can be used as a foothold for attackers.”
Westergren said he verified the vulnerability only on the Android app. Requests for comment to MyFitnessPal went unanswered prior to publication.
Westergren said he found the vulnerability after he started monitoring his personal interactions with the Android app. He said he proxied his Android device to run all requests through the free Fiddler debugging proxy. Via this process, he captured requests made to an undocumented MyFitnessPal API and noticed requests coming from the API for his personal information that anyone else could also access remotely.
“Using [Fiddler], I was able to see all requests made from all apps. I started interacting with MFP and noticed this request. It stuck out because a developer generally wouldn’t request information for a logged in user by User ID,” Westergren said. “Rather, the safe way would be to request user information for the logged-in user. That is, not providing a User ID parameter at all, and determining the user to show server-side, based on the OAuth token passed.”
Westergren said once a user enters their username and password, the API issues an OAuth token that can be used to authenticate future requests.
“The app subsequently pulls profile information down in order to populate fields in the app (among other things),” he said. “This was exploitable by logging in as a valid user and using your token to directly request the profile information of other users.”
Westergren said he built a proof-of-concept exploit in PHP to test this out by substituting the direct object with different user IDs.
“To verify the vulnerability exists, the POC simply starts at my own user ID and increments the user ID parameter by one, then attempting to request the information of that user. It loops in this process until it finds a response with valid user information (presumably, not all user IDs will exist due to accounts being deleted/closed, etc.),” Westergren said. “At the time, I believe it only took five requests to confirm the existence of the vulnerability, i.e. the program looped five times (incrementing the user ID), before it found a valid user, returning the personal MFP information of that user.”
He said MyFitnessPal was quick to respond to his report, which he submitted June 24. As a reward, Westergren said MyFitnessPal sent him a gift card and a personal thanks from the company’s vice president of engineering.