CVE-2021-36460 – VeryFitPro mobile app versions 3.2.8 and earlie... (How to Fix)

Q: What is the severity of CVE-2021-36460?

CVE-2021-36460 has a CVSS score of 7.8 (HIGH). VeryFitPro mobile app versions 3.2.8 and earlier hash passwords locally and transmit those hashes to authenticate with backend APIs. This allows attackers who intercept or obtain password hashes to impersonate users and take over accounts. All users of the affected app versions are vulnerable.

📋 TL;DR

VeryFitPro mobile app versions 3.2.8 and earlier hash passwords locally and transmit those hashes to authenticate with backend APIs. This allows attackers who intercept or obtain password hashes to impersonate users and take over accounts. All users of the affected app versions are vulnerable.

💻 Affected Systems

Products:

VeryFitPro (com.veryfit2hr.second)

Versions: 3.2.8 and earlier

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Veryfitpro by Veryfitpro Project

View all CVEs affecting Veryfitpro →

Veryfitpro by Veryfitpro Project

View all CVEs affecting Veryfitpro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover for all users, allowing attackers to access personal data, modify account settings, and potentially access connected services.

🟠

Likely Case

Targeted account compromise for users whose network traffic is intercepted or whose hashes are otherwise obtained, leading to privacy violations and unauthorized access.

🟢

If Mitigated

Limited impact with proper network security controls and monitoring, though fundamental authentication flaws remain.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining password hashes through network interception, database compromise, or other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Users should uninstall the app until a fixed version is released.

🔧 Temporary Workarounds

Uninstall Vulnerable App

all

Remove the VeryFitPro app from all devices to eliminate the vulnerability.

Network Traffic Monitoring

all

Monitor for transmission of password hashes in network traffic and block suspicious authentication attempts.

🧯 If You Can't Patch

Discontinue use of VeryFitPro app and migrate to alternative fitness tracking solutions.
Implement strict network segmentation and monitoring for devices running the vulnerable app.

🔍 How to Verify

Check if Vulnerable:

Check app version in device settings. If version is 3.2.8 or earlier, the device is vulnerable.

Check Version:

Check app version in device app settings or app store listing.

Verify Fix Applied:

Verify app has been uninstalled or updated to a version later than 3.2.8 (if available).

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts using intercepted hashes
Unusual account access patterns

Network Indicators:

Transmission of password hashes in authentication requests
API calls using hash-based authentication

SIEM Query:

Search for authentication events containing hash values or unusual authentication patterns from VeryFitPro app.

📊 Metadata

CVE ID: CVE-2021-36460

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: April 25, 2022

Last Updated: November 21, 2024

🔗 References

http://veryfitpro.com Not Applicable,Third Party Advisory,URL Repurposed
http://www.i-doo.cn Not Applicable
https://github.com/martinfrancois/CVE-2021-36460 Exploit,Mitigation,Third Party Advisory
http://veryfitpro.com Not Applicable,Third Party Advisory,URL Repurposed
http://www.i-doo.cn Not Applicable
https://github.com/martinfrancois/CVE-2021-36460 Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36460, you might also want to check these: