Hacking cult.fit for unlimited free Gym sessions

4 min readNov 13, 2023

This write-up lists the details of my report to Cult.fit regarding a security flaw with their free trial system that could allow anyone to book any number of gym sessions for free.

Date Reported: August 15, 2023

First Response: August 15, 2023

Vulnerability Confirmed: August 23, 2023

Resolved & Bounty: Sept 19 & Oct 17, 2023

What went down: The Specifics

Cult Pass / Cult Center provides every user with 2 credits to try out any of the centres from the list given and the card looks somewhat like below

It either gives you a direct QR code which can be taken to the Gym to gain access or the second option is to book a guaranteed slot at the gym which is also the recommended way where I get a confirmed QR with an actual ID if the current day = Check-in day.

There were 2 ways identified to compromise this trial system and trick it into giving you multiple credits:

1) Race condition (Low success rate)

A race condition occurs when two requests simultaneously attempt to access and modify a single resource. In this scenario, if you booked any session with any of the centres and logged into your account from two different devices, moving to the booked session page on both devices and hitting the cancel button on the confirmation prompt simultaneously resulted in a refund of 1 + 1 credit back to your account. This process could be performed an unlimited number of times, and each time your credit balance for the trial increased by 1, granting you free access everywhere.

2) Payload Manipulation (Guaranteed Way)

There were 2 main issues found here:

Being able to book gym sessions in the past
Ability to get +1 session refund even if the session was in the past

There are scenarios where you book a session for a date but you don’t really show up to the centre and your booking is marked as MISSED:

You also have cases where your booking is sometime in the future and you could click on the 3 dots on the card and cancel that session which would call an API:

https://www.cult.fit/api/gymfit/checkin/{checkin_id}/cancel

But the sessions which have expired/missed do not have this option but still could be cancelled by looking at the response from the following endpoint:

https://www.cult.fit/api/page/cult?breadcrumb=true&seoPageId=gymfitList&selectedTab=gymfitList

This would return the list of all upcoming sessions in HORIZONTAL_ACTIONAL_CARD_LISTING_WIDGET carditems property. The property of interest here is:

"eventData": { "widgetType": "gym_mycheckins_widget", "actionTarget": "reportissue", "extraParams": { "checkinId": <redacted>} }

We get the checkinId of every session irrespective of completed/missed/upcoming, we can then directly hit the cancel endpoint with this checkIn ID and cancel the session irrespective of its status since there are no checks implemented, And voila! You now have an extra trial credit. This can now be leveraged exponentially to increase credits.

How to make sure we never run out of credits?

The actual booking endpoint was:

https://www.cult.fit/api/gymfit/checkin/confirmation?eventId=<event_id>&centerId=<center_id>

This endpoint has a flaw as well where I can easily book sessions in the past by just periodically decrementing the event_id value and finding a session which falls below today’s date and time and that session is marked as MISSED right after being booked!

With this, we now have an infinite loop of booking and cancelling sessions which keeps increasing our trial credit value. Below is a POC screenshot of my own account dashboard where the count value was almost 5 where even after having 3 upcoming sessions I still had 1 more trial credit left:

Closing Thoughts

Even the biggest systems have some flaws, flaws that can lead to unexpected and the worst kind of problems.

Protecting against race conditions: In the intricate dance of simultaneous processes or threads vying for access to shared resources, missteps can lead to unexpected and undesirable outcomes. Employing strategies such as atomic operations, mutexes, and thread synchronization can significantly reduce the risk of these concurrency-related issues. Remember, the pursuit of a robust and secure system involves not only optimizing performance but also fortifying defences against subtle yet impactful flaws like race conditions.

Using Random IDs: Implementing random identifiers can be a powerful strategy in various aspects of system design. Whether generating unique session tokens, creating database keys, or assigning temporary names, random IDs offer a level of unpredictability that enhances security and mitigates the risk of potential vulnerabilities. By relying on randomization, systems can thwart predictability and reduce the likelihood of malicious exploitation.