August 18, 2020 By Ionut Ilascu
Hackers could hijack user accounts in dozens of fitness and gym mobile applications, even where the two-factor authentication (2FA) mechanism was active.
The common ground for all the apps is Fizikal, a management platform from Israel for gyms and sports clubs that allows customers to handle their subscription and class registration.
Several vulnerabilities affecting the Fizikal platform could be chained to bypass security checks, enumerate users, bruteforce the one-time password (OTP) for logging in, and get access to a user's account.
