CVE-2021-32612

An attacker on the same local network as the victim, or any network device between the victim and the backend server, can sniff the cleartext HTTP traffic [ref_id=1][ref_id=2]. The advisory demonstrates a captured login request showing the username (email address) and password hash transmitted in plaintext in the POST body to /user/login [ref_id=1]. Because registration and password change requests are also sent over cleartext HTTP, the attacker can steal credentials, intercept password reset tokens, or capture session data to take over user accounts [ref_id=1][ref_id=2].

The VeryFitPro Android application (com.veryfit2hr.second) version 3.2.8 communicates with the backend API at veryfitproapi.veryfitplus.com over cleartext HTTP. The advisory identifies that all API endpoints—including /user/login—are accessed via HTTP rather than HTTPS [ref_id=1][ref_id=2]. No specific source files or functions are named in the advisory.

The advisory does not provide a patch or code fix. It states only "To mitigate" without publishing a remediation [ref_id=1][ref_id=2]. The recommended fix would be to enforce HTTPS for all API communication, ensuring that login, registration, and password change requests are encrypted in transit to prevent network sniffing.

Place a network sniffer (e.g., tcpdump or Wireshark) on the same LAN as a device running VeryFitPro 3.2.8. Have the victim perform a login, registration, or password change. Observe the cleartext HTTP POST to veryfitproapi.veryfitplus.com containing the username and password hash in the request body, as shown in the advisory's packet capture [ref_id=1][ref_id=2].