Clubster App Leaked User Data, Additional Vulnerabilities Were Present

Two country club members looking at a smartphone while standing on a golf course

VPNOverview’s security team discovered a personally identifiable information (PII) breach affecting users of the Clubster social media app, a Facebook-style app for country clubs and other groups.

Upon auditing the app, we also encountered a couple of potentially catastrophic vulnerabilities. These issues can affect thousands of Clubster users.

PII Breach, Code Insertion, IDOR

We have categorized the issues found in our research as follows:

PII BreachSerious
Code InsertionCritical

Clubster App Exposes Members and Guests

Our security team confirmed that 14,271 members and guests at 176 country clubs were accidentally exposed by the Clubster app.

These people had their names and email addresses published on the web. The breach was caused by a leaky Amazon Web Services (AWS) S3 bucket.

Blurred Clubster email database with the count highlighted

Amazon’s Simple Storage Solution (S3) buckets have been causing problems for years. Recently, we found Sephora exposed the personal data of 100,000 customers.

We also found that Grink Inc.’s Switch app leaked 4,765 users’ data and severe issues with gaming giant Sega’s cloud security. Misconfigured S3 bucket permissions were the problem in those cases as well.

Malicious Code Injection Vulnerability

We were able to inject malicious code into Clubster posts and modify the posts of other users. Therefore, it would have been possible for a cybercriminal to steal user accounts and embed malicious scripts in Clubster posts.

Clubster made no attempt to filter JavaScript in posts. As a result, it was possible to insert custom-made malicious code in our own posts.

Combined with the IDOR vulnerabilities, any user could insert malicious code into any post or group post visible to them.

Code injection message on the Clubster website

As proof-of-concept (PoC), we added a malicious script to a post on a target user’s home screen. When we logged in as the target user, the script ran and displayed our session cookie.

We determined we could steal the account of any Clubster user we were friends with, as long as that user had at least one (1) post on their home screen.

IDOR Vulnerability

We also found vulnerabilities in Clubster’s API, which is a software interface used in modern software development. It is also well understood that APIs are a cybercriminal favorite and that API-related attacks are on the rise.

We found two API endpoints that allowed insecure direct object references (IDOR). This IDOR vulnerability allows users to change other users’ posts. It also lets users change group posts.

Infographic explaining how Insecure Direct Object Reference (IDOR) vulnerabilities work

To exploit this serious vulnerability, a malicious user needed to capture and change HTTP requests. So to simulate the IDOR attack, we edited one of our posts and captured the HTTP request.

We altered the request and changed the ID to another post. It succeeded, proving we were able to edit other’s posts.

Clubster code with vulnerability showing what you need to change to edit any post

We found two endpoints in Clubster’s API that were affected by an IDOR vulnerability. We were able to edit any user or group post controlled by these endpoints.

/post/editA logged-in user can edit another user’s posts
/organization/[group]/post/editA logged-in user can edit a group’s posts

Clubster Breach Timeline

We have organized our breach research timeline as follows;

VPNOverview’s security team notified Clubster of a PII breachDecember 2021
VPNOverview’s security team notified Clubster of vulnerabilitiesJanuary 2022
Clubster closed the PII breachJanuary 2022
Clubster repaired the vulnerabilitiesFebruary 2022
Clubster updated their appFebruary 2022

The Clubster App is Now Secure

Per the above, we notified Clubster, and they closed the PII breach in January 2022. In the next two months, Clubster repaired the rest of the vulnerabilities. Their users are now safe from potential attacks.

Clubster is a social networking app designed for country clubs and other groups. The app has features that enable users to post news, events, and announcements, share material in groups, and create custom events.

Clubster’s team rebuilt their API to close the vulnerabilities in the old version of the app.

Lessons Learned From Clubster’s Vulnerability

Breaches and vulnerabilities can prove to be especially serious in a social media app. Accounts that users would otherwise trust can be used to commit fraud and theft.

And in this case, the victims themselves may be desirable as members of country clubs.

VPNOverview cybersecurity expert Aaron Phillips had this to say: “I think it’s interesting that Clubster recently changed hands. Surely the original developers knew that posts weren’t sanitized and there was no access control in the /edit endpoints. It’s unfortunate the software was sold in that state, and we’re glad this breach was closed instead of exploited.”

Tech researcher & communications specialist
Cyber security researcher