Louis Vuitton website exposes user accounts. The Louis Vuitton website exposes users when they view their account details, but the account numbers were sequential and part of the URL.
The exposure became apparent when Sabri Haddouche, an independent researcher, noticed his account number in the URL and tried simply incrementing it by +1. This action brought up an entirely different user’s account information. Sabri Haddouche, following proper responsible reporting protocols, reached out to the company and informed them of the issue.
Louis Vuitton quietly fixed an issue on their website that hackers could exploit before the company became aware of it.
Unfortunately, the luxury fashion brand’s response is frustrating and reads in part, as follows:
“Thank you for contacting Louis Vuitton. In response to your query, we regret to inform you that we cannot answer favorably to your sponsorship proposal. We thank you for your understanding and your interest in Louis Vuitton and wish you a pleasant day.”
If Sabri Haddouche, an independent researcher, wasn’t persistent in contacting Louis Vuitton, they may not have known to fix their exposure in time.
There is no evidence that hackers discovered and used this simple exploit before Haddouche reported it and the company corrected it. The truth is that hackers may well have, so if you have an account on Louis Vuitton’s website, be aware that whatever personal information in your account profile may have been compromised.
Thanks to Sabri Haddouche for his dogged determination in getting the company to pay attention to the issue.