If you’re a fan of the luxury fashion brand Louis Vuitton, be advised that the company recently and quietly fixed an issue on their website that may have been exploited by hackers before the company became aware of it. The problem was discovered by independent researcher Sabri Haddouche, who, following proper responsible reporting protocols, reached out to the company and informed them of the issue.
Unfortunately, their response was frustrating and read in part, as follows:
“Thank you for contacting Louis Vuitton. In response to your query, we regret to inform you that we are not able to answer favorably to your sponsorship proposal. We thank you for your understanding and your interest in Louis Vuitton and wish you a pleasant day.”
An unusual response, to be sure, but Haddouche kept trying to make contact with someone who at least knew what it was he was attempting to tell them. Finally, he was successful on that front and the company moved to correct the issue.
The crux of the issue was this: The website allowed users to view their own account details but the account numbers were sequential, and part of the URL. Haddouche noticed this when he saw his account number in the URL and tried simply incrementing it by +1, which brought up an entirely different user’s account information.
There is no evidence that hackers discovered and made use of this simple exploit before Haddouche reported it and the company corrected it. The truth is that they may well have, so if you have an account on Louis Vuitton’s website, be aware that whatever personal information you had stored in your account profile may have been compromised.
Kudos to Sabri Haddouche for his dogged determination in getting the company to pay attention to the issue.