Decathlon has its e-commerce site invaded by ethical hackers and discovers 27 vulnerabilities



Decathlon is forging ahead when it comes to hunting for security vulnerabilities in its information systems and e-commerce sites. On the occasion of the FIC 2022 cybersecurity exhibition held in Lille, Decathlon organized a live session on the shortcomings of its e-commerce platform, the so-called “Live Bug Bounty”, open to ethical hackers from the YesWeHack platform. The operation discovered 27 vulnerabilities, 3 of which are critical.

An event organized by Decathlon communication teams

The event was organized June 7-8 by Decathlon communication teams in partnership with YesWeHack. Decathlon has been using a private Bug Bounty program on the YesWeHack platform for a year now, and so the esports expert has agreed to appear in the spotlight for two days on any flaws it may have. A detailed description of this Live Bug Bounty is posted on the YesWeHack blog.

Hackers Revealed Various Vulnerabilities in Ecommerce Website Built on PrestaShop

After 30 hours of troubleshooting, even overnight, hackers revealed several vulnerabilities in the PrestaShop-built e-commerce site, including an RCE (Remote Code Execution) and SQL injection. Decathlon teams on site qualified the 64 reports made by hackers during the event with an average response time of 1 hour and 6 minutes.

Decathlon teams accepted 27 reports, including 3 critical ones, and the first patches were under construction before the end of the event and are being deployed to the affected area. There was no disruption to production because the hackers complied with program rules that prohibited testing that could lead to potential service disruptions.

Go further in the search for computer vulnerabilities

This is the first time we have embarked on a Live Bug Bounty. This allows us to meet the hackers, discuss with them and go further in the search for vulnerabilities. says Farid Illikoud, CISO of the Decathlon Group. During the two days of live crash detection, Decathlon teams tested the robustness of their OneShop e-commerce solution, based on the PrestaShop platform, used by around thirty countries around the world. To test the end-to-end E-Commerce platform, Decathlon Technology included its authentication solution “Login” and its loyalty solution “Account” in the scope of the test.

Decathlon teams rated failures with an average response time of 1 hour and 6 minutes

Decathlon Technology’s technical teams were present to ensure the rapid assessment and remediation – the correction phase of detected deficiencies – of the reports transmitted by the hackers. The team had an average response time of 1 hour and 6 minutes during the event. A few dozen hackers participated in the live search for flaws. This Live Bug Bounty was also open to participants in the European Cyber ​​Cup, an ethical hacking competition using eSports codes dedicated to students.

After just over a year in the private Bug Bounty program, we wanted to reach a new level by hosting a Live Bug Bounty explains Ismail Bouafoud, Information Systems Project Manager at Decathlon. The robustness of the e-commerce platform was tested under real conditions in the production environment. “ We had some misgivings, but the event was a great experience and a real success on all fronts. he said.

Appreciated proximity to hackers

The Decathlon teams’ proximity to the vulnerability hunting community was greatly appreciated. It allowed for more fluid interactions and the opportunity to be confronted with new security approaches. The competition was won by Zax followed by Hisxo and CarlJohnson. The first presentation of a security breach was made just 1 hour after the event started. Several IDORs (Insecure Direct Object References) were discovered in the defined perimeter.

Bug Bounty is challenging and engaging for us commented Matthieu Vanoost, Information Security Manager at Decathlon. ” When researchers find a vulnerability, they submit a report. If this vulnerability is critical, we set a deadline to fix it he continues. Responsiveness keeps vulnerability hunters and Decathlon teams motivated.


Leave a Comment