03.15
Summary
Because of a security vulnerability in fitbit.com, malicious third-party websites could have extracted personal information from logged in users.
What is Fitbit
According to http://www.fitbit.com/company:
Fitbit is dedicated to helping people lead healthier, more active lives. We take a common sense approach to fitness, and believe that the key is to make it easier for consumers to be more active, eat smarter, and get enough sleep — in short, that small changes to your daily routine can add up to big results. To that end, we aim to create innovative, inspiring products and online services that harness the power of new technologies to make people more aware of their everyday activities and motivate them to do more.
The company produces a number of devices which all sync data to
fitbit.com. This data can then be viewed, visualized, shared, etc. I
was given a device as a holiday present and I’ve enjoyed it a lot.
What is JSONP?
From http://en.wikipedia.org/wiki/JSONP:
JSONP or “JSON with padding” is a communication technique used in JavaScript. It provides a method to request data from a server in a different domain, something prohibited by typical web browsers because of the same origin policy.
I gave a presentation late last year which has a bit more information on JSONP and more examples of sites that had JSONP-related vulnerabilities in the past.
In this case, fitbit.com did not use JSONP by default but did allow
attackers to request data in a JSONP format. An attacker who requested
data in this way could read out data that is normally restricted to
users on the Fitbit website, including data on calories burned and steps taken.
Examples
Here are some examples of URLs and the responses that were returned by
fitbit.com using my account (I own a Fitbit device):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | a({
"result": {
"chart": {
"columnWidth": 70,
"datasets": [
[{
"color": "a3e0e0",
"description": "0.08 hours lightly active on Sun, Dec 23",
"label": "",
"name": "1356220800000",
"url": "/activities/2012/12/23",
"value": 0.08
}
],
[{
"color": "ffbb33",
"description": "0.12 hours fairly active on Sun, Dec 23",
"label": "",
"name": "1356220800000",
"url": "/activities/2012/12/23",
"value": 0.12
}
],
[{
"color": "ff3366",
"description": "0 hours very active on Sun, Dec 23",
"label": "",
"name": "1356220800000",
"url": "/activities/2012/12/23",
"value": 0
}
]
],
"expiresOn": 1361055371096,
"gridCategoryAlpha": 0,
"gridValueAlpha": 100,
"isCanvasBorderOn": true,
"isDescEnabled": true,
"isLinkEnabled": true,
"isSkipZeros": false,
"maxAge": 300,
"plotAreaAlpha": 100,
"plotAreaBorderAlpha": 0,
"plotAreaColor": "\#ffffff",
"plotAreaMarginsBottom": 40,
"plotAreaMarginsLeft": 40,
"plotAreaMarginsRight": 20,
"plotAreaMarginsTop": 5,
"precision": 2,
"rotateNames": 0,
"timePeriod": "INTRADAY",
"valuesCategoryEnabled": true,
"valuesCategoryFrequency": 6,
"valuesValueEnabled": true,
"valuesValueFrequency": 1,
"valuesValueIntegersOnly": false,
"yMax": 3.12,
"yMin": 0
},
"success": true
}
});
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | a({
"ajaxResponse": {
"result": [
[],
[{
"id": 111,
"type": "GALILEO",
"battery": "High",
"lastSyncTime": 1361044707000,
"productName": "Zip",
"settingsUrl": "/settings/device/tracker"
}
]
],
"newResult": {
"getAlarms": {
"status": 200,
"result": []
},
"getOwnerDevices": {
"status": 200,
"result": [{
"id": 111,
"type": "GALILEO",
"battery": "High",
"lastSyncTime": 1361044707000,
"productName": "Zip",
"settingsUrl": "/settings/device/tracker"
}
]
}
}
}
});
|
There may be other pages on the site which disclose similar information or have other forms of security vulnerabilities. This is not the first security or privacy issue related to Fitbit that has been publicly disclosed. [1] [2]
Disclosure Timeline
- December 23rd, 2012: Initial email with proofs of concept sent to Fitbit support.
- December 25th, 2012: Reply from Fitbit, details have been sent to engineering department.
- January 2nd, 2013: Email from recruiter at Fitbit. Was asked to reach out to me because of my report. Asked if I would be interested in a possible software engineering role there.
- January 2nd, 2013: Replied to recruiter, explained I’m already happily employed.
- January 2nd, 2013: Email from recruiter acknowledging reply.
- February 9th, 2013, 1:38 AM: Sent followup to support, asking for update on issue.
- February 9th, 2013, 4:59 PM: Reply from support. Issues were passed off to engineering, no updates to provide at the current time.
- February 9th, 2013, 5:15 PM: Sent followup to support, asking for ETA on fixes.
- February 16th, 2013: Sent email to support. Informed them of intention to write this post and publish it in a little over a week.
- February 17th, 2013: Reply from support. Issues were passed off to engineering, support will follow up with engineering.
- February 18th, 2013: Reply from support. Engineering has been contacted.
- February 21st, 2013, 9:09 AM: Reply from support. Issue is schedule to be patched on March 15th. Told to expect direct contact from engineering.
- February 21st, 2013, 9:16 AM: Sent email to support. Agreed to hold off publication of post until after March 15th.
- March 9th, 2013, 2:03 PM: Reply from support asking if engineering had followed up directly.
- March 9th, 2013, 2:03 PM: Sent email to support indicating that no followup had occurred.
- March 10th, 2013, 1:51 PM: Reply from support, following up with engineering.
- March 10th, 2013, 11:31 PM: Reply from support, engineering has released a preliminary fix.
- March 10th, 2013, 11:43 PM: Sent email to support, confirming that fix appears to mitigate vulnerabilities.
- March 15th, 2013: Published post, contacted support with link to post.
Comments