Puregym Part 1: Obtaining "Free" Access
Table of Contents
This is part 1 of a 2 part series, where we find exploits in PureGym:
PureGym just dropped a new feature, scan a QR code on your phone to open the gate letting you access the gym without the need for the old Mifare classic tag. A convenient and much needed feature. This raised one question: How can we break this?
Geolocation Restriction
Naturally, the first thing i tested was whether the system had any georestrictions. I quickly snapped a picture of the QR code and tried scanning it at home, sure enough i was presented with an error:
The QR Code
Taking a look at the QR code, we use an online decoder and see the data it contains is an URL:
https://puregym.dk/app/open_gate?center={REDACTED}&gate={REDACTED}
&lng={REDACTED}&lat={REDACTED}&endpoint=/open-gate/qrcode
Neat it parses in coordinates as well the id of the center and the gate. With the coordinates of the gate, we could spoof the device’s location using FakeTraveler. Making it bypass the geolocation restrictions easily, allowing us to open the gate from anywhere we wanted.
Finding the API
Next challenge we faced was finding the logic behind the function of the gate opening feature. After setting up a Magisk rooted android device and installing the module: cert-fixer, we could easily install the Burp Suite certificate with system privileges, allowing us to monitor all traffic. This setup is essentially a MITM (Man-in-the-middle) proxy. The picture below showcases how a MITM proxy work in relation to normal traffic.
This demonstrates that the MITM proxy, in our case Burp Suite intersects all traffic allowing us to view and modify requests before reaching the server or the client.
When testing it worked. Lucky for us, the application had no root detection nor SSL pinning. The app did require the Google Play API, making running custom ROMs not pliable, unless you install an alternative such as: Mind The Gapps.
With no major roadblocks in place, we could spoof the device’s location using FakeTraveler. Once the location spoofing was in place, we scanned the QR code. As expected a network request immediately appeared in Burp Suite:
POST /api/v1.0.0/open-gate/qrcode HTTP/2
Host: mit.puregym.dk
Authorization: Basic {REDACTED}
App-Identifier: com.shapehq.fitnessworld.android
Gdpr: android
Content-Type: application/json; charset=UTF-8
Content-Length: 47
Accept-Encoding: gzip, deflate, br
User-Agent: okhttp/4.10.0
{"center_id":"{REDACTED}","gate_id":"{REDACTED}"}
This clearly illustrates that the only authentication used to access this API is the Authorization http header, which is essentially: email:password encoded in base64. Looks like this can easily be replayed.
After a 20 minute cooldown, implemented as a security measure to prevent users from parsing their phone to a friend allowing them friends to access the fitness center. We could finally replay the request and check whether or not the gate opened. And it did open. This meant we could open the gate as long as we parsed in a valid email and password.
The Concept
The concept of the exploitation was simple: Have a pool with bunch of Puregym membership credentials harvested with a fake website for Puregym, prompting the user to login. Then users can buy a cheaper shared membership. The concept is shown in detail in this flowchart:
Possible Fixes
A possible fix would be to add shadow banning, once you’ve opened the gate in one center you’ll be shadow banned. Meaning you can’t open the gate in another center too far away. Lets say you’re on the most northern point and opens the gate, then you can’t possible be at the most southern point 20 minutes after. In addition, forcing a profile picture will help the staff identify if you’re using your own membership.
Final Thoughts
Even though this concept is possible, its highly illegal to pull off and the risk to reward ratio is shifted towards the risk. Therefore, is the likelihood of an attacker doing this very low. Finally, I do believe this api could be abused to share your subscription with a few friends more easily and thus lowering the cost of your membership. If you wanted to share your membership you would need to dump the Mifare Classic card to a Chinese unlocked card using a Proxmark. You can check out my Puregym QR code scanner, it’s a web-based interface used to open the gate.