{"id":635179,"date":"2026-03-24T07:39:41","date_gmt":"2026-03-24T05:39:41","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=635179"},"modified":"2026-03-24T07:45:31","modified_gmt":"2026-03-24T05:45:31","slug":"security-vulnerability-at-biggest-gym-chain-in-south-africa","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/635179-security-vulnerability-at-biggest-gym-chain-in-south-africa.html","title":{"rendered":"Security vulnerability at biggest gym chain in South Africa"},"content":{"rendered":"\n

A serious vulnerability in Virgin Active South Africa\u2019s payment systems has been revealed, potentially exposing private client information, including bank account details.<\/p>\n\n\n\n

Cybersecurity analyst and ethical hacker Bruce Malaudzi<\/a> reached out to MyBroadband with the information that a critical flaw in the gym\u2019s Netcash payment systems could be exploited by threat actors.<\/p>\n\n\n\n

MyBroadband helped him disclose his findings to Virgin Active, whose security personnel patched the vulnerability over the weekend.<\/p>\n\n\n\n

With 125 clubs and 631,000 members<\/a> across South Africa, Virgin Active is the country\u2019s largest gym chain.<\/p>\n\n\n\n

Malaudzi explained that he found the vulnerability through a routine link Virgin Active sends customers to make payments. He said he could tell something was wrong when he first looked at the link.<\/p>\n\n\n\n

\u201cAs a senior cybersecurity professional, I could tell that the payment link system\u2019s security is enforced at the client side, instead of server side,\u201d he told us. <\/p>\n\n\n\n

\u201cThis means a client can manipulate the URL or HTTP query, and the server accepts it.\u201d <\/p>\n\n\n\n

Malaudzi provided us with code and screenshots showing how an attacker could easily change the amount owed to a specific client by exploiting this client-side payment link.<\/p>\n\n\n\n

He did this simply by manipulating the URL in the link sent to clients by Virgin Active when requesting payment, for example, if a client\u2019s monthly payment bounces.<\/p>\n\n\n\n

Malaudzi demonstrated that users can change how much any gym member owes at any given time. For example, a user who owed R2,200 could reduce their bill to R1 with the exploit.<\/p>\n\n\n\n

The nature of the vulnerability meant that any user with rudimentary coding knowledge could change their monthly bill to R1 every month. A Premier membership at the gym chain costs R1,670 per month.<\/p>\n\n\n\n

While potentially damaging for the company, this exploit came with a more serious problem. A hacker could use it to continue digging into the system and find private user information. <\/p>\n\n\n\n

\u201cIf you visit any of the links mentioned earlier and switch to Developer Tools on your browser, you will see a hardcoded API key,\u201d Malaudzi said. <\/p>\n\n\n\n

\u201cWith this token, you can query the backend database.\u201d Essentially, a hacker could dump user information for every Virgin Active member in the entire country, en masse.<\/p>\n\n\n\n

This includes information on how much money they owe the gym chain and their email addresses, at first. Malaudzi said he could also obtain the names of every single sales consultant in the country.<\/p>\n\n\n\n

A very serious problem for Virgin Active<\/h2>\n\n\n\n
\"\"
Bruce Malaudzi, ethical hacker<\/figcaption><\/figure>\n\n\n\n

He said that he did not continue digging into the system because it would have been illegal to do so without written permission from Virgin Active. However, the law would not stop a cybercriminal.<\/p>\n\n\n\n

Using the same vulnerability, a threat actor can uncover personally identifiable information from gym members, including any details they provided when signing up. That includes bank account details.<\/p>\n\n\n\n

Criminals can also use the information to conduct highly-targeted “spear phishing attacks,” where users are lured into clicking malicious links. <\/p>\n\n\n\n

“Knowing the exact amount owed (R1425.0) and the member’s gym (Virgin Active – Kings Park) allows an attacker to send a fake payment link that a victim is highly likely to trust,” Malaudzi says. <\/p>\n\n\n\n

No private Virgin Active member information exposed<\/h2>\n\n\n\n
\"\"
After manipulation, the outstanding amount is set to R1<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
\"\"
A valid token is required to authorise the R1 transaction<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
\"\"
Opening the developer tools panel in the browser exposes the token<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
\"\"
Authorising the R1 transaction with a hijacked token<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
\"\"
Showing outstanding amount before and after the manipulation<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
\"\"
Information dumping the names of all the sales consultants at Virgin Active South Africa<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n

Virgin Active was unaware of the vulnerability when we contacted them on 18 March 2026.<\/p>\n\n\n\n

\u201cUpon receipt of your email, we took immediate precautionary action by disabling the relevant payment links while our IT and security teams investigated the matter,\u201d the company told MyBroadband on Monday.<\/p>\n\n\n\n

\u201cThe review identified a number of lower-risk items requiring attention, which were addressed on the same day.\u201d Virgin Active said it has now implemented enhancements to the payment link functionality.<\/p>\n\n\n\n

\u201cThere are some residual elements related to previously issued links that are currently being finalised as part of this process,\u201d it said.<\/p>\n\n\n\n

\u201cBased on our assessment to date, we are satisfied that no sensitive information has been exposed and that appropriate controls are in place.\u201d Virgin Active said protecting member information remained a top priority.<\/p>\n\n\n\n

\u201cWe take matters of this nature very seriously. We will continue to monitor and review our systems as part of our ongoing security and risk management processes.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

A serious security vulnerability was revealed in Virgin Active South Africa’s payment systems, potentially exposing bank details of members. <\/p>\n","protected":false},"author":341213,"featured_media":635316,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[102734,15227,23613,12249,62930,71668],"class_list":["post-635179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-bruce-malaudzi","tag-cybersecurity","tag-exploit","tag-virgin","tag-virgin-active","tag-white-hat-hacker"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/635179"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=635179"}],"version-history":[{"count":20,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/635179\/revisions"}],"predecessor-version":[{"id":635428,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/635179\/revisions\/635428"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/635316"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=635179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=635179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=635179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}