fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Louis Vuitton Fixes Data Leak And Account Takeover Vulnerability

Louis Vuitton Fixes Data Leak And Account Takeover Vulnerability

Louis Vuitton has quietly patched a security vulnerability on its website that allowed for user account enumeration and even allowed account takeover via password resets.

Founded in 1854, Louis Vuitton is a prominent luxury French fashion brand and merchandise company with over 121,000 employees and a $15 billion annual revenue.

The easily exploitable flaw resided within the MyLV account section of the website.

Creating a MyLV account lets a Louis Vuitton shopper track online orders, access purchase history, obtain e-receipts, manage personal information, and receive company announcements.

Also Read: How To Check Data Breach And How Can We Prevent It

Researcher reports vulnerability, gets a vague response

Having discovered the vulnerability, security researcher Sabri Haddouche reached out to Louis Vuitton as a part of the responsible disclosure process. 

He then tweeted on September 22nd about his unsuccessful attempts to get through to the correct person when he received a vague response from the company.

Haddouche initially received a strange response from the company when reporting the vulnerability 
Source: Twitter

Haddouche continued in the same thread, “Well they said now that they forwarded the report to the related department so I’m going to wait for another week until I try to find a new way to contact them, maybe you can tell them there’s an urgent security issue that needs to be fixed and the support got the report.”

Email account enumeration

Haddouche has now shared with BleepingComputer more details about this urgent security issue that needed to be patched.

The researcher stated, “The vulnerability is surprisingly easy to exploit and I had found it by accident when clicking in one of the links in Louis Vuitton’s e-mail. Here is how it works:”

  1. Navigate to the following URL: https://account.louisvuitton.com/fra-fr/mylv/registration?A=917XXXXXXXXXXX.
  2. The ID (parameter “A”) can be altered to anything since the digits are incremental it is easy to discover pretty much anyone.
  3. The e-mail of a customer will be displayed. Additionally, if he does not have an account, it will ask you to set a password as well and will log into it.

The e-mail Haddouche is referring to was an email notification about his repair from Louis Vuitton, which prompted him to login to an account.

Louis Vuitton email notification with the button that had the vulnerable link to MyLV
Source: BleepingComputer

The “Consulter mon compte” (View my account) button leads to the MyLV link with Haddouche’s account ID, as shown in the steps above.

Haddouche noticed replacing his account ID number in the “A” parameter with a consecutive number now showed another user’s email address in the email field.

Also Read: 10 Government Data Leaks In Singapore: Prevent Cybersecurity

An attacker can potentially obtain email addresses of multiple Louis Vuitton’s members without their knowledge or consent by simply enumerating their account ID in the URL.

Member’s email address leak via Louis Vuitton website
Source: BleepingComputer

Account takeover via enumeration

Another worrisome aspect of My LV account website is how it enabled anyone to takeover a Louis Vuitton member’s account.

Consider that a user had previously shopped on the website using their email address, but hadn’t signed up for an account.

Building on the above workflow,  had a hacker come across such an email address in their course of guessing account IDs one by one, the website would not only expose the account’s email address but ask the hacker to set a password.

This could enable the attacker to create an account on behalf of the rightful user and set a password.

Recall, that a MyLV account grants access to personal information, online orders, access purchase history, e-receipts, and other sensitive bits.

Therefore, an account takeover via this flaw could’ve potentially exposed a user’s shopping history and data that should remain confidential.

Louis Vuitton’s website prompts “create an account” in some cases

Also Read: Basic Info On How Long To Keep Accounting Records In Singapore?

Louis Vuitton fixes flaw, thanks researcher

Today, Louis Vuitton has patched the flaw and as observed by BleepingComputer, the website no longer leaks arbitrary email addresses or allows account takeovers when navigating to the account creation URL in question.

The company thanked the researcher for reporting the flaw in an email. A rough translation of the email shown below would be:

Dear Mr. Haddouche,

As mentioned before, I am happy to come back to you with more information.

I am pleased to announce that the mentioned vulnerability has been immediately fixed by the concerned department.

I thank you again for your feedback on this matter and once again offer my sincerest apologies for the misunderstanding of the initial request.

I remain at your disposal for any other return or request on your part.

I wish you an excellent evening,

Yours sincerely,

Pauline

Louis Vuitton’s response to Haddouche announcing vulnerability has been resolved

Although Louis Vuitton does have a HackerOne bug bounty page, it does not seem to be actively used.

When asked, how could companies make it easier for researchers to report vulnerabilities, Haddouche told BleepingComputer: 

“I would say that always have a dedicated email with PGP keys or a similar secure way for reporting security-related issues (YesWeHack bug bounty platform has PGP encryption in the background for each report) or like a dedicated Wire or Signal account for reporting security vulnerabilities, and publish them on your website or in a security.txt file because we basically lost 2 weeks and the vulnerability was already disclosed in my Twitter DMs and then in clear text per email during that time.”

“Anyone who has access to their mailbox, Twitter or my account would have been able to see the details of the vulnerability and make use of it,” he concluded.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us