Louis Vuitton has quietly patched a security vulnerability on its website that allowed for user account enumeration and even allowed account takeover via password resets. The vulnerability is surprisingly easy to exploit and I had found it by accident when clicking in one of the links in the. MyLV account section of the company’s website. An attacker can potentially obtain email addresses of multiple. members without their knowledge or consent by. simply enumerating their account ID in the URL. The company thanked the researcher for reporting the vulnerability in an email.
Source: https://www.bleepingcomputer.com/news/security/louis-vuitton-fixes-data-leak-and-account-takeover-vulnerability/