[English] Endomondo: Win sports competitions without doing an effort

Vincent CoxNo Commentssecurity

endomondo-iphone-new-design-v2For those who do not know what Endomondo is: it is a sports community that is based on real-time GPS tracking, where you can track your progress(distance, speed, graphics, …) on your phone. There are also held sports competitions where you can win cool prizes (like a samsung galaxy s5). You take part in these competitions through your own workouts.

Apparently it is not so difficult to “fake” workouts, and win the competition.

I have tested this and I took screenshots to prove it. I unsubscribed immediately from the sports competitions right after I tested, this for respecting the real leaders in the competition. Though I have my doubts about the people who in the leading now, because they have a workout every hour of the day (24 hours long). This seems quite suspicious because you can train can’t train all day long.

They probably used the same technique I describe in this article. 

Proof of concept

Here are some screenshots where you can see the results.

(As mentioned earlier, you will not find me in the high scores because I unsubscribed from the competitions )

printscreen1

friet

The workouts can be found here (if my fake account still exists by the time you read it):

http://www.endomondo.com/workouts/user/16152897

Method

charles

I  intercepted traffic between my phone and the Internet. I used “charles proxies” in this demonstration.

Sending a workout is just a link that is submitted. You can simply copy this link and edit it.

 

http://api.mobile.endomondo.com/mobile/track?authToken=TOKENEMITTED&workoutId=2014-05-18%2016:04:54%20GMT%2B2&sport=0&duration=0.02&calories=0.00&hydration=0.00&goalType=BASIC&deflate=true&extendedResponse=true&audioMessage=true

Basicly you can just adjust those values ​​and resubmit it. If you take a different date, a new training is created automaticly.

If we split it becomes more clear:

http://api.mobile.endomondo.com/mobile/track?authToken=TOKENWEGGELATEN

&workoutId=2014-05-18%2016:04:54%20GMT%2B2

&sport=0&

duration=0.02

&calories=0.00

&hydration=0.00

&goalType=BASIC

&deflate=true&extendedResponse=true&audioMessage=true

So they are parameters that you can change like you want, just by adjusting the link.

The only thing that’s left is to paste the new link in your browser and submit it.

You even get response containing the workout ID.

 

Conclusion

The athletes on top of the list have submitted each hour of the day an exercise (without sleeping). I really have my thoughts about that. By using a simple php script (and this in combination with cronjobs), you can make your way to the top by submitting trainings. You can achieve realistic results by updating each training with increasing distance and time.

Endomondo could expect this when using such a simple communication system.