Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Bugs in gym management software let hackers change user workout results

Bugs in gym management software let hackers change user workout results

Security researchers found vulnerabilities in the Wodify fitness platform that allows an attacker to view and modify user workouts from any of the more than 5,000 gyms that use the solution worldwide.

User data (e.g. personal, workout, payments) may currently be at risk since Wodify has yet to confirm the roll out of a patch, despite being given ample time to address the security issues.

Wodify is an all-in-one platform used by more than 5,000 gyms worldwide. Apart from offering membership management options, it can also help clients achieve their goals and better track their performance.

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!

The platform addresses both coaches and athletes and features an automated billing system, class scheduling, allows creating custom workouts, and tracking fitness data (e.g. heart rate) in real-time.

Changing user workout data

In a report published today, researchers at cybersecurity company Bishop Fox disclosed a set of vulnerabilities in the Wodify platform that could affect not only users’ workouts and personal information but also the financials of a gym.

Exploiting the flaws allows enumerating and modifying entries in the Wodify platform from all the gyms that use it, says Dardan Prebreza, Senior Security Consultant at Bishop Fox. Despite the need to authenticate, the issues have serious implications.

“While modifying the data, an attacker could insert malicious stored JavaScript payloads, leading to XSS. This could be leveraged to hijack a user’s session, steal a hashed password, or the user’s JWT through the Sensitive Information Disclosure vulnerability” – Dardan Prebreza

By compromising administrative gym accounts, the researcher says, a financially motivated attacker could edit payment settings to steal the money from gym members.

One of the vulnerabilities refers to insufficient authorization controls, which could serve to enumerate users and change their data in the Wodify platform.

Leveraging the bug requires authentication. The researcher tested this bug successfully after getting consent from a Wodify customer to use their account.

Enumerating user IDs in Wodify fitness management app

This kind of access allowed inserting malicious code that would impact other users on the platform, “including instance or gym administrators,” via cross-site scripting (XSS) attacks.

By adding a malicious JavaScript payload in the target user’s workout comment, the researcher triggered the XSS vulnerability that would enable changing all Wodify users’ workout data, results included.

XSS triggered in Wodify fitness management app

Further investigation revealed four stored XSS vulnerabilities in the Wodify application. Privileges of a regular user are sufficient to plant malicious JavaScript in a workout result that would trigger an XSS bug.

A user loading that page would trigger caused the attacker’s code to run, potentially giving them administrative access to the target gym’s application.

“If an attacker gained administrative access over a specific gym in this manner, they would be able to make changes to payment settings, as well as access and update other users’ personal information” – Dardan Prebreza

Another vulnerability in the Wodify application exposes sensitive user information and allows hijacking sessions with the help of an XSS flaw.

A patch is not confirmed

Prebreza first notified Wodify of his findings more than half a year ago and was told in April that the bugs would be fixed within 90 days.

The researcher told BleepingComputer that communication with Wodify has been very difficult and it took the company a long time to acknowledge the vulnerabilities.

“It took almost two months until they acknowledged the vulnerabilities and only by directly reaching out to their CEO via email, which then put me in touch with their new head of technology back in April.”

“They were supposed to release the new/patched version in May, which then got pushed back several times. Last time they replied to us, they mentioned August 5th as the final release date,” the researcher said.

According to the disclosure timeline from Bishop Fox, Wodify was supposed to release a new version of the app on June 11 but delayed the update for August 5.

However, Bishop Fox says they have not heard from the vendor since July 13 and are unaware if a patch has been released to customers.

BleepingComputer has reached out to Wodify but has not heard back by publishing time.

Also Read: Vulnerability Management For Cybersecurity Dummies



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us