Recently, I was doing some pen-testing on a higher end Association Management System (AMS) called Personify. Specifically, the Personify360 7.5 platform. Some significant bugs were discovered and in the next few posts I’ll describe what they are and how they were found.
Personify is a system that helps associations manage their membership fees as well as sell products via a built-in e-Conmerce platform.
When on a Personify site navigate to the /TabId/275 URI, it should look something like this:
When you go there a screen similar to this will appear
This is actually showing a list of ‘vendors’ (read: programs with API access with their usernames. The is no login required to see this data.
It gets better, if you click the edit button on any of the rows, here’s what comes up
Yup all the account data is available in clear text (cut out for privacy reasons). Username, Password, Block (Personify’s version of password) as well as other information is available to copy or edit, good times.
You can even go back to the previous page (first screenshot) and click the New button if you just want to create an additional account.
Once that’s done you can use SoapUI or a similar tool to connect to their web-services using these credentials and to actions on user accounts or just to steal all the data.
To fix this issue update to the latest version of Personify by following the instructions from their email (see below screenshot)