Exercise-tracking app not QUITE fit for purpose

MyFitnessPro splats bug in two days

8 Reg comments Got Tips?

Popular fitness app MyFitnessPal, used by 65 million people, has fixed a vulnerability that exposed personal information including date of birth records.

The profiles allowed users to fill out their private location data including country, state, and city but not street-level addresses for the purposes of linking neighbours.

However, that information could be viewed by anybody, according to security researcher Randy Westergren, due to a direct object reference vulnerability.

"Using Fiddler proxy, I started monitoring my own interactions within the Android App, capturing the requests made to the undocumented MyFitnessPal API," Westergren said.

"I noticed an interesting request to this URL: https://api.myfitnesspal.com/v2/users/23662613557054 — a simple request to get my user information, but it looked like a possible insecure direct object reference."

Westergren wrote a simple PHP script to test and pull other user data by replacing the number sequence at the end of the URL and reported the flaw to MyFitnessPal.

The fitness fanatics got cracking and fixed the simple bug within two days of the report, leaving in the dust the response times of many large and small application developers.

Westergren received a gift card for his troubles.®


Biting the hand that feeds IT © 1998–2020