14 DAY TRIAL // Portuguese security researcher David Sopas has identified a couple of vulnerabilities in RunKeeper, the highly popular fitness-tracking application.
According to the expert, the security holes – a cross-site scripting (XSS) and a cross-site reference forgery (CSRF) – could have been exploited by cybercriminals to run an XSS worm.
The CSRF issue impacted the Account Settings section.
“Using an external HTML form, a crafted site with an auto-submit JavaScript, a malicious user could modify all the information on a authenticated RunKeeper user without them knowing. This happened because RunKeeper forms lacked a security token or any other validation which allowed a user to POST a request on external sources,” Sopas noted in a blog post.
The XSS issue was persistent and it impacted the same Account Settings section.
“The XSS was automatically executed on user Account Settings and on the profile page of the user affected - http://runkeeper.com/user/dsopas/profile. Even the public profile was affected with this issue (no need for authentication),” the expert wrote.
If unfixed, the security holes could have been leveraged to develop a worm capable of propagating through RunKeeper. The threat could steal user cookies, harvest private data and even distribute malware.
A perfect example of such a threat is Samy, an XSS worm designed to spread on Myspace. Samy made a lot of headlines back in 2005 after it had spread on the profiles of over 1 million users of the social network.
Fortunately, in this case, RunKeeper fixed the vulnerabilities fairly quickly after being notified by the security expert.
The issues were first reported on October 10 and they were fixed less than one month later. The researcher said RunKeeper even provided him with detailed information on the patching plan.
Additional technical details on the vulnerabilities identified by Sopas are available on the researcher’s blog.