MyFitnessPal is easily one of the most popular calorie counter apps for weight loss and nutrition tracking. I’ve been using it for a few years and love it. Their Android App and web interface is simple, easy to use, and boasts a large database of nutritional information for a variety of foods, but how secure is user information?

Using Fiddler proxy, I started monitoring my own interactions within the Android App, capturing the requests made to the undocumented MyFitnessPal API. I noticed an interesting request to this URL: https://api.myfitnesspal.com/v2/users/23662613557054 — a simple request to get my user information, but it looks like a possible Insecure Direct Object Reference!

Let’s check it out. I wrote a quick proof-of-concept in PHP that would simply emulate the same authenticated request to get my user information (substituting other user IDs), exiting on the first successful return of data to confirm the vulnerability.

$headers = array( "Authorization: Bearer ***REMOVED***", "mfp-client-id: mfp-mobile-android-google", "Accept: application/json" ); $url = "https://api.myfitnesspal.com/v2/users"; $id = 23662613557054; while(TRUE) { if($r = curl("$url/$id", array(), $headers)) { exit($r); } $id++; }

Two seconds later, I had a successful hit! This is a fairly serious privacy issue since the personal details of users is exposed (including birth dates). Cue the email to [email protected] to responsibly disclose the issue and get it fixed.

My experience with MyFitnessPal’s support and engineering team was incredible. They were very receptive to the report and quickly deployed a fix. Here’s the disclosure timeline:

2014-06-24: Initial email to MyFitnessPal reporting vulnerability

2014-06-26: Follow-up with MyFitnessPal contacts

2014-06-26: Acknowledgement of issue and confirmation of deployed fix

Following the fix, MyFitnessPal’s VP of Engineering reached out to offer a personal thanks for reporting the vulnerability. They were even nice enough to send me a gift card to express their appreciation.

Share this: