iOS health app Fitify exposes 138K consumer personal images

Fitify’s publicly accessible Google cloud storage bucket has uncovered a whole bunch of 1000’s of recordsdata. Among the recordsdata had been user-uploaded progress photos that people add to trace their physique modifications over time. After Cybernews contacted the corporate, the unprotected occasion was closed.

iOS health app Fitify exposes 138K consumer personal images: Key takeaways

• Fitify uncovered 373K recordsdata together with 138K progress images by way of unsecured Google cloud storage.
• Progress images typically confirmed minimal clothes, making publicity notably delicate for customers.
• Personal consumer knowledge was accessible with out passwords or safety keys.
• App contained hardcoded secrets and techniques that would allow attackers to entry extra consumer knowledge.

Sadly, importing media on-line at all times brings some dangers, even when the recipient is a trusted vendor. Enter: Fitify, a well-liked health app with over 10 million downloads from the Google Play retailer and an estimated 25 million whole installs throughout all platforms.

In early Could, the Cybernews analysis staff found a Fitify-owned and publicly accessible Google cloud storage bucket. Whereas many of the recordsdata uncovered within the unprotected occasion had been exercise plans and instruction movies, researchers additionally seen images that customers shared with the app’s “AI coach” and their physique scans.

Fitify app leaks consumer images

The app’s target market is customers who wish to shed some pounds, get in form, or in any other case higher their physique. Physique scans permit the monitoring of modifications over time, as Fitify customers train or food plan in response to their health plan. Fitify’s Google App retailer description clearly states that “knowledge is encrypted in transit,” offering reassurance to customers that their personal images received’t be uncovered.

Nonetheless, the Cybernews staff, or anybody else for that matter, may entry the cloud storage with none passwords or safety keys.

“It is usually worthwhile to notice that ‘progress photos’ and ‘physique scans’ are sometimes captured with minimal clothes to raised showcase the progress of weight reduction and muscle development. Due to this fact, many of the leaked photographs is perhaps of the kinds that customers usually wish to maintain personal and never share with anybody on the web,” the staff stated.

Fitify Exercises, the corporate behind the app, responded after being contacted by Cybernews researchers and closed the uncovered occasion, eradicating it from the general public web site.

Cybernews’ journalists have reached out to the corporate for official remark and can replace the article as soon as they obtain a reply.

What’s the extent of the Fitify knowledge leak?

The now-closed Google cloud storage bucket contained a complete of 373,000 recordsdata. 2 hundred and 6 thousand of those had been consumer profile images, and one other 138,000 had been labeled as progress photos. 13 thousand of the recordsdata had been shared by way of the app’s AI coach message attachments, and one other 6,000 had been labeled as “Physique Scan” knowledge, together with photos and AI metadata.

The physique scan characteristic permits customers to make a 3D scan of their physique, with the app offering an in depth evaluation of their lean mass, physique fats, posture, and different elements they might wish to enhance or observe.

“The leak exhibits that the entry controls carried out by the app had been inadequate to safe consumer knowledge, and the truth that this knowledge could possibly be accessed by anybody with none passwords or keys demonstrates that consumer knowledge was not encrypted at relaxation,” the staff defined.

After discovering the uncovered occasion, the researchers cross-checked whether or not Fitify’s identify was included within the randomly chosen dataset, which the staff used to research how safe Apple App Retailer’s apps truly are.

Cybernews researchers downloaded 156,000 iOS apps, round 8% of all apps on the Apple App Retailer, and found that builders typically depart plaintext credentials within the software code accessible to anybody.

The findings revealed that 71% of the apps analyzed leak at the very least one secret, with a mean app’s code exposing 5.2 secrets and techniques. It seems that Fitify was no totally different.

“After investigating the uncovered secrets and techniques, we found credentials that would doubtlessly be used to entry much more buyer knowledge and the appliance’s backend infrastructure,” the staff defined.

“It additionally exhibits that the misconfigured cloud bucket entry controls weren’t the one mistake made by the app’s builders, as quite a few API Keys and delicate endpoint places had been additionally hardcoded throughout the app’s front-end.”

What hardcoded secrets and techniques did the Fitify app expose?

Builders hardcode secrets and techniques for quite a few causes. Whereas typically needed for the app to perform correctly, some secrets and techniques and keys shouldn’t be stored accessible as they permit attackers to dive deep into the app and doubtlessly entry personal consumer knowledge.

The analysis staff famous various kinds of secrets and techniques between improvement and manufacturing environments. Fitify’s improvement setting had the next hardcoded secrets and techniques uncovered:

• Android Shopper ID
• Google Shopper ID
• Google API Key
• Firebase URL
• Google App ID
• Undertaking ID
• Storage Bucket
  
   

Attackers may use IDs and keys to entry Google and Firebase infrastructure elements, collect info, after which dig into the app, doubtlessly acquiring delicate consumer knowledge.

For instance, exposing Google Shopper ID and Android Shopper ID may allow malicious actors to impersonate reputable app situations, doubtlessly getting access to consumer accounts. On the identical time, the storage bucket may allow attackers to inject malicious recordsdata or modify current content material.

In the meantime, Fitify’s manufacturing setting had the next hardcoded secrets and techniques:

• Android Shopper ID
• Google Shopper ID
• Google API Key
• Firebase URL
• Google App ID
• Undertaking ID
• Storage Bucket
• Fb App ID
• Fb Shopper Token
• Firebase Dynamic Customized Domains
• Algolia API Key
  
   

Coupled with beforehand leaked info, hardcoded secrets and techniques could allow attackers to entry customers’ social media knowledge by way of Fitify. Mixed with Google credentials, this creates a number of assault vectors for situations affecting each health knowledge and social media profiles.

Our researchers word that the Algolia API Key is among the much less generally leaked secrets and techniques. Algolia gives software program and instruments that permit companies to implement speedy internet seek for particular person web sites. The analysis staff didn’t take a look at the leaked API key, so it’s unclear what knowledge the database shops.

Easy methods to repair leaky apps?

Our researchers consider that to successfully mitigate the difficulty, it’s greatest to give attention to uncovered situations and hardcoded secrets and techniques individually.

To repair cloud storage bucket-related points, the staff advises:

In the meantime, to forestall apps’ secrets and techniques from falling into the flawed fingers, the staff advises the next:

• Leaked credentials should be revoked.
• New credentials must be generated and saved securely throughout the company-controlled servers.
• Entry management settings should be reviewed for the uncovered endpoints.
• It’s endorsed to carry out an audit to find out if these vulnerabilities and misconfigurations had been exploited by malicious actors.
• The appliance must be up to date to be suitable with the brand new, safer infrastructure.
  
   

His Secret Previous was Uncovered by World’s Most Mysterious Hackers