Nike website vulnerability leaked server login passwords and more

[LASER_oneXM]

An undisclosed flaw in Nike's MyNikeTeam.com website for wholesale customers could be exploited with a few lines of code.

• A flaw in the MyNikeTeam.com website allowed anyone with a few lines of Python code to access sensitive data, including server login credentials.
• Following the discovery of a flaw in MyNikeTeam.com, Nike has taken the website offline.

A vulnerability in the Nike website MyNikeTeam.com allowed a security researcher to access server login credentials for system admins, according to a report from our sister site ZDNet.

The researcher was able to read the files on the server by exploiting an out-of-band XML external entities (OOB-XXE) flaw, ZDNet reported. These kinds of exploit are typically difficult to pull off, but they give a hacker deep access to a server.

The flaw was initially discovered by security researcher Corben Leo toward the end of 2017. According to ZDNet, Leo contacted Nike at the time, and heard nothing for three months. At that time, Leo then brought the information to ZDNet.

The exploit only required a few lines of Python code, but allowed Leo to grab data from the server and send it to an external FTP server he had set up, the report said. ZDNet confirmed the exploit and noted that it "included every username able to log in to the server, such as system administrators."

To address the issue, Nike simply took the MyNikeTeam.com website offline. The firm offered the following statement to ZDNet:"MyNikeTeam.com site was a pilot site that was active for a few months last year and was hosted on a separate server to the main Nike.com site. It has now been retired to address this issue. We appreciate any notification that helps us maintain data security."