[BreachExchange] Nike website vulnerability leaked server login passwords and more
Destry Winant
destry at riskbasedsecurity.com
Thu Mar 8 00:10:55 EST 2018
https://www.techrepublic.com/article/nike-website-vulnerability-leaked-server-login-passwords-and-more/
A flaw in the MyNikeTeam.com website allowed anyone with a few lines
of Python code to access sensitive data, including server login
credentials.
Following the discovery of a flaw in MyNikeTeam.com, Nike has taken
the website offline.
A vulnerability in the Nike website MyNikeTeam.com allowed a security
researcher to access server login credentials for system admins,
according to a report from our sister site ZDNet.
The researcher was able to read the files on the server by exploiting
an out-of-band XML external entities (OOB-XXE) flaw, ZDNet reported.
These kinds of exploit are typically difficult to pull off, but they
give a hacker deep access to a server.
The flaw was initially discovered by security researcher Corben Leo
toward the end of 2017. According to ZDNet, Leo contacted Nike at the
time, and heard nothing for three months. At that time, Leo then
brought the information to ZDNet.
The exploit only required a few lines of Python code, but allowed Leo
to grab data from the server and send it to an external FTP server he
had set up, the report said. ZDNet confirmed the exploit and noted
that it "included every username able to log in to the server, such as
system administrators."
To address the issue, Nike simply took the MyNikeTeam.com website
offline. The firm offered the following statement to
ZDNet:"MyNikeTeam.com site was a pilot site that was active for a few
months last year and was hosted on a separate server to the main
Nike.com site. It has now been retired to address this issue. We
appreciate any notification that helps us maintain data security."
While the site was meant to be for wholesale customers, individual
consumers could still log in. However, according to ZDNet, Nike said
that customer data was not put at risk by the bug.
ZDNet passed the exploit code and video onto Scott Helme, a UK-based
security researcher. Helme confirmed the validity of the exploit and
called it "pretty severe."
"The response from Nike was to take the affected site offline but this
doesn't address the concerns around any data that was processed and
the access to other internal systems that an attacker would have had,"
Helme told ZDNet.
More information about the BreachExchange
mailing list