Η Louis Vuitton fixed a vulnerability that had been identified in website and allowed the attackers to carry out the so-called "e-mail account enumeration attacks”And take him control these accounts by resetting the password access.
Louis Vuitton is one of the most popular, luxury fashion brands. It is a French company, founded in 1854, has over 121.000 employees and annual revenues of $ 15 billion.
The vulnerability was identified in the section MyLV account of the site.
Creating a MyLV account allows a Louis Vuitton buyer to track online orders, have access in the history of purchases, to receive electronic receipts, to manage personal data and to receive announcements of the company.
A researcher discovered the vulnerability and reported it to Louis Vuitton
The security researcher Sabri Haddouche discovered the vulnerability and tried to approach Louis Vuitton.
He then wrote to Twitter, on September 22, for his unsuccessful attempts to contact the right person. After that, he received a vague response from the company. Haddouche continued on the same thread in Twitter, saying: “Well, they have now said that they have taken the report to the relevant department, so I will wait another week until I try to find a new way to contact them. Maybe you can tell them that there is an urgent security issue that needs to be resolved".
Email account enumeration
Haddouche gave BleepingComputer more details on this urgent matter security.
The researcher stated: “The vulnerability can be used very easily and I found it by mistake when I clicked on one of Louis Vuitton email links. See here how it works"
- Go to the following URL: https://account.louisvuitton.com/fra-fr/mylv/registration?A=917XXXXXXXXXXXX.
- The ID (parameter "A") can be modified.
- A customer email will be displayed. If the customer does not have an account, the site will ask you to set a password and log in to it.
Haddouch made this observation by looking at one e-mail, which was a notice of a repair by Louis Vuitton. The notification prompted him to sign in to an account.
The button "Consult my account”(View my account), which was in the email, led him to the MyLV link with Haddouche ID.
Haddouche remarked that replacing his account ID number in parameter “A” with a consecutive number, saw another's email address user in the email field.
That way an intruder could receive the email addresses of many Louis Vuitton members without their knowledge or consent by simply changing their account ID number to the URL.
Access other users' accounts
The vulnerability in the Louis Vuitton site also allows anyone to gain access to the accounts of others users.
According to the researcher, the users (victims) may have simply purchased products from the Louis Vuitton site, using their email address, without registering for an account.
Based on the above, an attacker will could find these emails (by changing the ID), and set a password (requested by the site). This could allow the attacker to create an account (on behalf of the legitimate user) and set a password.
However, as mentioned above, a MyLV account provides access to personal data, online orders, access shopping history and other sensitive data.
Therefore, the attacker gains access to confidential data customers.
Louis Vuitton corrected the vulnerability and thanked the researcher
Louis Vuitton corrected the vulnerability and thanked the researcher via email for reporting the error.
The email stated, among other things: “We are pleased to announce that the reported vulnerability has been corrected by the relevant department. Thank you again for your comments on this issue and once again we apologize for misunderstanding the original request".
Louis Vuitton has one bug bounty page in HackerOne, but does not appear to be used.
Regarding the vulnerability report, the researcher told Bleeping Computer: "We actually lost 2 weeks and the vulnerability had already been revealed in the Twitter DM and then in plain text in email, during this period".
"Someone who may have accessed their mailbox at Twitter or in my account he could see the details of the vulnerability and use it", concluded.