The self-service portal of the biggest Estonian sports club MyFitness has a major flaw, which allows for strangers to easily log in to the accounts and see people personal information. The club already knows the mistake for a month, but it has not been fixed so far.
The test showed that knowing the MyFitness client’s completely public information is possible to sign in to his account if he has not manually changed his password. Namely, the client will be assigned a default password when opening a self-service account, which is very easy to guess even to completely strangers. Another problem is that the client is not forced to change this password after logging in, which means that people will continue to use the unsecure password. Thirdly, the person’s password is sent to them in plain via e-mail, making it easy for it to leak.
Signing in to a person’s account will at least allow to see his contact details, contracts with MyFitness, training preferences, history and schedule.
The username is incremental number and the password is the last name of the account holder. MyFitness was informed about the flaw through CERT-EE already year ago.
This is another example that some flaws get fixed only after they are published in media.