Nike website vulnerability leaked server login passwords and more

An undisclosed flaw in Nike's website for wholesale customers could be exploited with a few lines of code.

Best practices for protecting your company's sensitive data
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A flaw in the website allowed anyone with a few lines of Python code to access sensitive data, including server login credentials.
  • Following the discovery of a flaw in, Nike has taken the website offline.

A vulnerability in the Nike website allowed a security researcher to access server login credentials for system admins, according to a report from our sister site ZDNet.

The researcher was able to read the files on the server by exploiting an out-of-band XML external entities (OOB-XXE) flaw, ZDNet reported. These kinds of exploit are typically difficult to pull off, but they give a hacker deep access to a server.

The flaw was initially discovered by security researcher Corben Leo toward the end of 2017. According to ZDNet, Leo contacted Nike at the time, and heard nothing for three months. At that time, Leo then brought the information to ZDNet.

SEE: Network security policy (Tech Pro Research)

The exploit only required a few lines of Python code, but allowed Leo to grab data from the server and send it to an external FTP server he had set up, the report said. ZDNet confirmed the exploit and noted that it "included every username able to log in to the server, such as system administrators."

To address the issue, Nike simply took the website offline. The firm offered the following statement to ZDNet:" site was a pilot site that was active for a few months last year and was hosted on a separate server to the main site. It has now been retired to address this issue. We appreciate any notification that helps us maintain data security."

While the site was meant to be for wholesale customers, individual consumers could still log in. However, according to ZDNet, Nike said that customer data was not put at risk by the bug.

ZDNet passed the exploit code and video onto Scott Helme, a UK-based security researcher. Helme confirmed the validity of the exploit and called it "pretty severe."

"The response from Nike was to take the affected site offline but this doesn't address the concerns around any data that was processed and the access to other internal systems that an attacker would have had," Helme told ZDNet.

Also see

Image: Nike