The gym I go to has an app for user's to scan a QR code when they arrive and it has multiple HUGE issues.

This app shows the credit card info used for the direct debit without anything being redacted.

When the gym is signing up someone they give them a password so they can login, not too bad except the password is always the person's first name with the first letter capitalised.

This gets worse when you figure out that their is no way to change the password given to you AT ALL.

And just to top it all off, when you click the "Forgot Password" link on the login screen, the app just sends you an email with your password (your first name) in plain text.

The app also doesn't log you out or notify you if your login is used on a different device.

So I have tested this with 2 of my friends that go to the same gym and, with only knowing their email and first name (which I could have gotten from their email if I didn't know them), I can get into their app and see their credit card info without them being any the wiser.

  • 13
    Just thinking about it is a workout.
  • 11
    Is the ccv in there? If yes, you can inform the provider of the creditcard network they belong to. They can throw them out of the network if they don't comply with the rules.
  • 0
    @stop what if they aren't even registered for keeping those credit cards in there.
  • 1
    @iSwimInTheC No matter how they deal with payments, whoever they're directly in contract with has to keep track of them and demand that they comply with security regulations.
  • 0
    @lorentz lol you assume they even got clearance 😂
    I really want to know what OP found now
  • 0
    Even worse. Then they are permanently kicked out of the network and can't even use an terminal without an audit.
Add Comment