Fitbit – APIs and Access Control Failures, a simple API bug allowed to harvest millions of user private activities!

In this write-up we will show you how Seekurity team was able to harvest all the user’s private/custom activities leaves more than 20 million private custom activities data in danger.

First of all, this write-up is not a new one and the discovery itself is dated back to 2017 but we decided to disclose it right now after we gave Fitbit the reasonable amount of time to patch the vulnerability and to protect the health data about the users!

Fitbit website gives the users the ability to create/log a custom activities (eg Boxing, Biking, Swimming etc..)

During our tests we noticed this weird GET request which retrieving data in JSON format:


Seems weird!
ActivityID is the vulnerable parameter, While conducting our  tests to see if we can get a different response based on a user-supplied-input randomly, we passed some values to the parameter then we noticed that we’re getting a response regardless the access level of the activity (Public or Private).

-Public Activity (accessLevel: PUBLIC)

Screen Shot 2016-04-27 at 5.03.18 PM-Private Activity (accessLevel: PRIVATE)

Screen Shot 2016-04-27 at 5.44.32 PM
The Fix
The issue has been already fixed and we receive a 403 error message due to properly taking care of the API Access control Level.
Screen Shot 2016-04-27 at 5.00.45 PM

Proof of Concept Video


Why this issue happened?
APIs are the first target for attackers/bug hunter and surprisingly marketers specially when it comes to data gathering on a large scale, crawlers and other data harvesting tools are functioning like a charm if you somehow forgot to secure your API endpoints.

The common vulnerabilities that can hit an API and cause a lot of headache are: Data Harvesting, No rate-limitation, SQL Injections, Cross-Site Scripting, IDOR, Information Disclosure, Missing Function Level Access Control, etc…




A minute if you please!

Building a website, API, an application or dealing with any kind of sensitive information? Anything related to the security and Safety of your business? Or already launched one without considering security? Worried about your personal security? Think twice before going public and let us protect your business!



(Visited 916 times, 1 visits today)