A previously undisclosed flaw in Nike's website allowed anyone with a few lines of code to read server data like passwords, which could have provided greater access to the company's private systems.
An 18-year-old researcher Corben Leo discovered the flaw late last year and contacted Nike through the company's dedicated email address for reporting security flaws, which it advertises on its bug bounty page.
After hearing nothing back for more than three months, Leo contacted ZDNet, which also alerted the company to the vulnerability.
The bug exploited an out-of-band XML external entities (OOB-XXE) flaw that abused how Nike's website parses XML-based files, allowing the researcher to read files directly on the server. OOB-XXE flaws are widely seen as esoteric and difficult to carry out, but can be used to gain deep access to a server's internals. Gaining access to a server's files can disclose other avenues for exploitation, such as remote code execution or pivoting to other connected servers or databases.
The exploit code, just over a dozen lines in Python, let Leo funnel off data stored on a Nike.com subdomain, to an external listening FTP server he operated, which spit out the file's results line by line.
A video of the exploit in action given to ZDNet revealed the contents of the server's /etc/passwd file, which included every username able to log in to the server, such as system administrators.
A Nike spokesperson confirmed the flaw is now fixed, but downplayed any risk to other systems.
"MyNikeTeam.com site was a pilot site that was active for a few months last year and was hosted on a separate server to the main Nike.com site. It has now been retired to address this issue. We appreciate any notification that helps us maintain data security," the spokesperson said.
Nike isn't just an sports apparel retail giant. In the past few years, the company has been aggressively pushing into the data-gathering market by implementing sports and activity tracking into its products, as well as creating its own line of wearables -- a market it since exited from, but still integrates its technology with other branded wearables.
The company added that the site was designed for wholesale customers and not ordinary consumers, but still allowed users to log in with their Nike.com username and password. Nike said its micro-service architecture and server setup meant user data was never at risk by the bug.
We passed the video and proof-of-concept (PoC) code to Scott Helme, a UK-based security researcher and consultant, to independently review.
"The issue here is pretty severe and the researcher found a very nice OOB-XXE injection vulnerability," said Helme. "As can be seen in the demo video, the PoC extracted the contents of the /etc/passwd file on the host and sent them to a remote server under the control of the researcher, proving the vulnerability is valid and that data can be exfiltrated from the host."
"The response from Nike was to take the affected site offline but this doesn't address the concerns around any data that was processed and the access to other internal systems that an attacker would have had," he added.
"With a login form on the page it's more than reasonable to assume that credentials were processed on the affected site whilst this vulnerability was present," he said. "Also, an attacker could have leveraged [a server-side request forgery attack] to probe other systems and services adjacent to, or accessible from, this particular host."
"We'll never know the full extent of how bad this vulnerability could have been because the researcher acted responsibly and reported it quickly," said Helme.
"Given more time and a slightly more hostile approach, I'd be willing to bet that this would have been a lot worse," he added.