Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password protected database that contained over 1.3 million records in total. Upon further investigation it became clear that these records were associated with a fitness and wellness organization.
The exposed records indicated that they belonged to a British company called Move Your Frame or sometimes referred to as Frame, which is a fitness and wellness organization that offers over 1,300 classes, including yoga, dance, pilates, and strength training, aimed at improving overall health and wellbeing. They also offer personal training sessions and online classes, and have 7 studios located in London, UK.
When I discovered the open server, I immediately sent a responsible disclosure notice to the alleged owners, that the database was publicly accessible. The database was secured within hours of the discovery and reporting of the exposure, but I did not receive any reply. The types of records inside the database appear to range from sales and marketing-related documents to content and customer management. This also included more than 500,000 payment receipts that revealed customer names, physical home addresses and email addresses inside the database.
According to their website, the Frame mobile app allows users to; “Book an in-studio class, create your own timetable on-demand or ‘show up’ to a livestream class from virtually anywhere. Users can manage their account directly from the app, check bookings, update billing details and check credit available to use”. The first Frame fitness studio opened in 2009 in Shoreditch, followed by the Queens Park location in 2012 and Kings Cross in 2015. In 2016 Frame opened in Victoria and their first stand alone Yoga studio in Kings Cross. In 2018 Frame opened two new sites in Hammersmith and Fitzrovia.
What the database contained:
Total records exposed: 1,355,495 / Size 1.3TB.
500,251 payment receipts in .pdf format which included customer names, physical addresses, emails, and an indication of services purchased and payment methods used.
APK files which could potentially be downloaded and edited with malware or malicious code.
Spreadsheet documents of individuals who attended classes. This included the customer’s name, internal customer number, location and date of classes attended.
Customer records which display personal information such as individual names, addresses, email addresses, and other information could be considered a security and privacy risk. These individuals could receive spam or phishing emails or other types of social engineering attempts. Payment receipts are not usually public information and would allow cyber criminals to potentially target customers with specific and detailed insider knowledge that only Frame and the customer would know. Using this information, fraudsters could attempt to obtain additional personal information or credit card numbers. I am not suggesting or asserting that Frame’s customers are or were ever at risk as I cannot know if anyone else accessed the server. I am only raising awareness so that individuals who may have been affected can be vigilant and watch for suspicious emails or contacts.
The database also contained APK files for Android-based operating systems for distribution and installation of mobile apps, mobile games and middleware. An APK file is essentially a ZIP archive that contains all the files and resources necessary to run an Android app. As such, it is possible to extract the contents of an APK file, modify the code or resources with a malicious script, and then repackage the modified files into a new APK file. Hypothetically, once the APK is altered and uploaded back onto Frame’s server all new downloads or updates could be potentially infected with malicious code. I am not implying that these files were altered or compromised in any way, and my intention is solely to inform readers about potential security risks associated with this type of exposure. Most app stores have a set of guidelines and requirements that app developers must follow in order to have their apps approved for distribution. As part of this process, the app store will typically use automated tools and manual reviews to check for any signs of malicious code or other security issues. It is crucial to understand that we are not accusing any party of wrongdoing, but merely providing information about possible security concerns.
It is unclear how long the database was exposed or if it had been accessed by anyone else before my discovery and responsible disclosure notice. Frame acted fast and professionally in securing the records, files, and documents from public access. I highly recommend that companies that collect and store data consider implementing appropriate measures to ensure any public access is restricted. Storing all data in one location can increase the severity of an exposure. As a general best practice, I also recommend encrypting folders and files that contain sensitive information. Please note that we are not providing legal or professional advice, but merely sharing insights for informational purposes.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.