BreachExchange mailing list archives
Nike website vulnerability leaked server login passwords and more
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 7 Mar 2018 23:10:55 -0600
https://www.techrepublic.com/article/nike-website-vulnerability-leaked-server-login-passwords-and-more/ A flaw in the MyNikeTeam.com website allowed anyone with a few lines of Python code to access sensitive data, including server login credentials. Following the discovery of a flaw in MyNikeTeam.com, Nike has taken the website offline. A vulnerability in the Nike website MyNikeTeam.com allowed a security researcher to access server login credentials for system admins, according to a report from our sister site ZDNet. The researcher was able to read the files on the server by exploiting an out-of-band XML external entities (OOB-XXE) flaw, ZDNet reported. These kinds of exploit are typically difficult to pull off, but they give a hacker deep access to a server. The flaw was initially discovered by security researcher Corben Leo toward the end of 2017. According to ZDNet, Leo contacted Nike at the time, and heard nothing for three months. At that time, Leo then brought the information to ZDNet. The exploit only required a few lines of Python code, but allowed Leo to grab data from the server and send it to an external FTP server he had set up, the report said. ZDNet confirmed the exploit and noted that it "included every username able to log in to the server, such as system administrators." To address the issue, Nike simply took the MyNikeTeam.com website offline. The firm offered the following statement to ZDNet:"MyNikeTeam.com site was a pilot site that was active for a few months last year and was hosted on a separate server to the main Nike.com site. It has now been retired to address this issue. We appreciate any notification that helps us maintain data security." While the site was meant to be for wholesale customers, individual consumers could still log in. However, according to ZDNet, Nike said that customer data was not put at risk by the bug. ZDNet passed the exploit code and video onto Scott Helme, a UK-based security researcher. Helme confirmed the validity of the exploit and called it "pretty severe." "The response from Nike was to take the affected site offline but this doesn't address the concerns around any data that was processed and the access to other internal systems that an attacker would have had," Helme told ZDNet. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Nike website vulnerability leaked server login passwords and more Destry Winant (Mar 08)