Full Report
Vulns in Dutch football club's systems didn't just expose data – they let outsiders play with accounts, and even lift stadium bans Dutch football giant AFC Ajax has admitted to a data breach after an attacker gained access to its internal systems, in an incident that looks less like a stray pass and more like the gates left wide open.…
Analysis Summary
# Vulnerability: AFC Ajax API Insecure Direct Object Reference (IDOR) and Broken Access Control
## CVE Details
- **CVE ID:** Not yet assigned (as of report date)
- **CVSS Score:** Estimated 8.8–9.1 (Critical)
- **CWE:** CWE-284 (Improper Access Control), CWE-639 (Insecure Direct Object Reference), CWE-321 (Use of Hard-coded/Shared Cryptographic Key)
## Affected Systems
- **Products:** AFC Ajax Internal Management Systems and Fan Portal
- **Versions:** Unspecified production versions prior to March 2026
- **Configurations:** Systems utilizing exposed APIs and shared digital keys for user authentication and authorization.
## Vulnerability Description
The incident involved multiple critical failures in the club’s digital infrastructure. Specifically, the systems utilized **exposed APIs** that lacked proper authorization checks. Furthermore, the application reportedly utilized **shared digital keys** across different users. This allowed an attacker to perform unauthorized actions by manipulating API requests. By "poking" at these endpoints, researchers could impersonate other users (Insecure Direct Object Reference) to perform administrative actions they were not authorized to execute.
## Exploitation
- **Status:** Exploited in the wild (Demonstrated by a journalist/researcher and an unidentified "hacker in the Netherlands")
- **Complexity:** Low
- **Attack Vector:** Network
- **PoC Availability:** Yes (Demonstrated by RTL News; involved transferring VIP tickets and lifting stadium bans in real-time).
## Impact
- **Confidentiality:** **High** – Access to personal data of 300,000+ registered supporters, including contact details and sensitive stadium ban records (reasons for bans, drug-related incidents, etc.).
- **Integrity:** **High** – Ability to modify account details, transfer/steal season tickets, and alter legal/disciplinary statuses (stadium bans).
- **Availability:** **Medium** – Potential for "denial of service" to fans if their tickets were moved or deleted by unauthorized third parties.
## Remediation
### Patches
- AFC Ajax has stated that the vulnerabilities have been **patched** in their internal systems. Specific version numbers were not provided in the disclosure.
### Workarounds
- **Session Termination:** The club reportedly "clawed back" unauthorized ticket transfers once detected.
- **Monitoring:** Increased auditing of API logs for unusual administrative changes originating from non-admin accounts.
## Detection
- **Indicators of Compromise:**
- Unusual API traffic patterns originating from supporter IP addresses toward administrative endpoints (`/admin`, `/modify-ban`, `/transfer-ticket`).
- Multiple account actions (e.g., ticket transfers) associated with a single digital key or session finger-print.
- **Detection Methods and Tools:**
- Conduct regular **API Security Audits** to identify endpoints improperly utilizing shared keys.
- Implement **DAST (Dynamic Application Security Testing)** to check for IDOR vulnerabilities in the ticketing flow.
## References
- AFC Ajax Official Statement (referenced)
- RTL News Investigation: hxxps[:]//www[.]rtl[.]nl/nieuws/tech/artikel/5581939/hack-ajax-seizoenskaarten-stelen-fans-stadionverboden
- The Register: hxxps[:]//www[.]theregister[.]com/2026/03/27/ajax_data_breach/