AxDB
Published in

AxDB

Planet Fitness: a lazy coder’s way of verifying premium access

Planet Fitness website constantly recommending their “premium” tier: PF Black Card®

“Planet Fitness members enjoy discounts and special deals from our partners,” reads their purple-yellow website. And, typically those discounts are applicable only to Black Card® members — their premium tier.

Then one may ask, well how do Black Card® members get these discounts?

https://www.facebook.com/planetfitness/posts/10153646709739856

According to their website and multiple public Facebook posts, one may visit the following link (the link in the Facebook comment ultimately redirects to the one below), verify your membership and enjoy access to special discounts!

https://www.planetfitness.com/membership-discounts

There you will be greeted with a security guard, in the form of an interstitial which asks you for your “Keytag number.” So far so good, right?

But…
As long as you enter anything over 5 characters in length, you’ll get in. An example string would be:

Poof! Gone is that interstitial. Moreover, the “discount links” are pretty simple too — there’s no secret access code, GET parameter or anything contained in them for verification. It’s one simple URL you could have found on Google.

The Cause

Why does this happen?
Because… here’s the snippet from the client-side code of “membership-discounts” page. The “Verify” button present on the globally available Planet Fitness website executes a method named myFunction(), which any serious developer would find hilarious. As you can see, as long as any input of length greater than 5 characters is provided, the interstitial is simply hidden using CSS styling. In a nutshell, there is not a single network request sent to the server for actual verification! Alternatively, any kid who knows how to use Developer Tools in a modern web browser could simply “hide” the interstitial.

Possible Reasons

One may ask why such a lazy route for verifying premium access — on a global website, despite all this technology and APIs we have?

Because, memberships aren’t managed via Planet Fitness’ in-house software but rather myiclubonline.com — apparently a popular gym management application. And it is unclear if they have an API to verify memberships programmatically at all! It is also possible that each Planet Fitness franchise club uses their own choice of Customer Relationship Management (CRM) software. Moreover, the access control pertains to keeping special discounts offered by partner retailers under wraps, or at least pretending to. And maybe they don’t care so much about who gets it and merely rely on keeping honest people honest. The effort and resources spent on integrating different CRMs with Planet Fitness megasite all for a simple discount isn’t worth it!

The Result

Members — regular or Black Card® holders, and the public aka vast majority non-members are able to get the discounts!

Celebrate!

Planet Fitness — one Nation under lazy coders, indivisible, with discounts for all!

NOTE: While the mentioned flaw is a ‘bug’ in the sense it probably does not meet the expectation(s) defined in the “Requirements Specification,” it is an intentional one; a lazy workaround and per se not a “security vulnerability.” Any project manager or a renowned Web Developer would be able to infer the same conclusion. As such, “standard” vulnerability disclosure practices and waiting periods are not being followed.

The “membership-discounts” page has been archived for future reference or for retroactively testing the bug: https://web.archive.org/web/20180622212603/https://www.planetfitness.com/membership-discounts

--

--

--

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Recommended from Medium

InfoSecSherpa’s News Roundup for Monday, August 2, 2021

{UPDATE} Classic Candy Block Mania Hack Free Resources Generator

Fancy a Cookie?

{UPDATE} Retro Drive Hack Free Resources Generator

InfoSecSherpa’s Africa InfoSec News Roundup for Saturday, February 19, 2022

How to use Johnny— an advanced password cracker / recovery GUI soft

GalaCloud — Distributed Encryption Storage Network by Zeepin

Brahma Wallet: New Generation of Decentralized Wallet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ax Sharma

Ax Sharma

Security Researcher | Tech Columnist | https://hey.ax

More from Medium

I Deployed a Honeypot in California

Protect Your Finances from Cyber Attacks with these 5 Strategies

Activate Two-Factor authentication for Nextcloud

LAPSUS$ Shines Spotlight On Juvenile Extortionists