Member preview

Planet Fitness: a lazy coder’s way of verifying premium access

Planet Fitness website constantly recommending their “premium” tier: PF Black Card®

“Planet Fitness members enjoy discounts and special deals from our partners,” reads their purple-yellow website. And, typically those discounts are applicable only to Black Card® members — their premium tier.

Then one may ask, well how do Black Card® members get these discounts?

https://www.facebook.com/planetfitness/posts/10153646709739856

According to their website and multiple public Facebook posts, one may visit the following link (the link in the Facebook comment ultimately redirects to the one below), verify your membership and enjoy access to special discounts!

https://www.planetfitness.com/membership-discounts

There you will be greeted with a security guard, in the form of an interstitial which asks you for your “Keytag number.” So far so good, right?

But…
As long as you enter anything over 5 characters in length, you’ll get in. An example string would be:

Poof! Gone is that interstitial. Moreover, the “discount links” are pretty simple too — there’s no secret access code, GET parameter or anything contained in them for verification. It’s one simple URL you could have found on Google.

The Cause

Why does this happen?
Because… here’s the snippet from the client-side code of “membership-discounts” page. The “Verify” button present on the globally available Planet Fitness website executes a method named myFunction(), which any serious developer would find hilarious. As you can see, as long as any input of length greater than 5 characters is provided, the interstitial is simply hidden using CSS styling. In a nutshell, there is not a single network request sent to the server for actual verification! Alternatively, any kid who knows how to use Developer Tools in a modern web browser could simply “hide” the interstitial.

Possible Reasons

One may ask why such a lazy route for verifying premium access — on a global website, despite all this technology and APIs we have?

Because, memberships aren’t managed via Planet Fitness’ in-house software but rather myiclubonline.com — apparently a popular gym management application. And it is unclear if they have an API to verify memberships programmatically at all! It is also possible that each Planet Fitness franchise club uses their own choice of Customer Relationship Management (CRM) software. Moreover, the access control pertains to keeping special discounts offered by partner retailers under wraps, or at least pretending to. And maybe they don’t care so much about who gets it and merely rely on keeping honest people honest. The effort and resources spent on integrating different CRMs with Planet Fitness megasite all for a simple discount isn’t worth it!

The Result

Members — regular or Black Card® holders, and the public aka vast majority non-members are able to get the discounts!

Celebrate!

Planet Fitness — one Nation under lazy coders, indivisible, with discounts for all!


NOTE: While the mentioned flaw is a ‘bug’ in the sense it probably does not meet the expectation(s) defined in the “Requirements Specification,” it is an intentional one; a lazy workaround and per se not a “security vulnerability.” Any project manager or a renowned Web Developer would be able to infer the same conclusion. As such, “standard” vulnerability disclosure practices and waiting periods are not being followed.

The “membership-discounts” page has been archived for future reference or for retroactively testing the bug: https://web.archive.org/web/20180622212603/https://www.planetfitness.com/membership-discounts