Thursday, March 26th, 2009

Amazon Wish Lists Are Dreadfully Insecure

Category: Security

<p>Kent Brewster couldn’t hold back anymore and posted on a vulnerability on the Amazon Wish List system that means that anyone can play with your wish lists. You can imagine people “having fun” and adding a huge number of porn elements to your setup.

Kent tells us:

Old friends may remember the How to Tell if a User is Signed In to Service X series, which ended last year around this time. As you can see from the comments in Patching Privacy Leaks, I advised users to sign out of Amazon.com on 17 October 2008, but did not say why.

Six months and multiple warnings later, nothing’s been done.

If you are signed in to the United States version of Amazon.com and have a wish list, the button on this site should add an item. You’ll see an alert with a success or failure message, and then this paragraph will change to tell you what happened and where to go to see it. If you’re using Firefox or IE, we will be able to determine your Amazon login status, by watching onError. If all else fails, we will assume after a few seconds of inactivity that something went wrong.

Kent then shows us how it is simply done:

By examining the source of Amazon’s Universal Wish List toolbar bookmarklet, we find something suspicious: an HTTP GET that seems to modify data on behalf of the signed-in Amazon user. This is trouble, since Amazon is depending only on browser cookies to verify user identity. Anyone can create an URL, like this:


http://www.amazon.com/gp/wishlist/add/ref=wl_bm-add

?submit=1&operation=add&mode=JS&priceInput=&id=
&imageUrl.0=http%3A%2F%2Fi2.ytimg.com%2Fvi%2FE62DXiL_8Vs%2Fdefault.jpg
&name.0=Raccoon%20Party
&itemComment.0=amazon%20wishlists%20are%20dreadfully%20insecure
&productUrl.0=http%3A%2F%2Fwww.youtube.com%2Fwatch%21v%3eDeQ1DN7n2Eg

… and fire it off on behalf of the signed-in user. Here I’m being polite and requiring the user to click a button, but it would be trivial to list it as the SRC attribute of a SCRIPT or IMG tag.

Adding a bunch of porn is bad, but what if we put”Pragmatic Ajax” in from Ajaxian? Or SEO sneakiness?

Related Content:

Posted by Dion Almaer at 2:44 am
3 Comments

++++-
4.1 rating from 21 votes

3 Comments »

Comments feed TrackBack URI

Wantz.it looks pretty neat, but you guys should look into some input filtering on http://www.wantz.it/widget.php. I can pass unfiltered JavaScript into the host page through the R variable, like so:

%22)=wantz_c;}catch(e){};alert(%27pwned!%27);try{document.getElementById(%22foo

… which strongly suggests to me that Further Mischief Is Possible. :)

–Kent

Comment by kentbrew — March 26, 2009

If someone wants to add stuff to mine, they’re welcome to. God knows it’ll probably be more interesting than the vast pile of books for work I have up there.

Comment by jsutcliffe — March 26, 2009

Honestly, adding porn items really isn’t the problem. Where things can really get “interesting” (pronounced “oh sh*t!”) are sites that add drive by items to your wishlist that point to spyware/trojan vectors, or use it to game the hundreds of publicly displayed Amazon Wish Lists to increase their SEO.

I fully expect there to be a bunch of “Looking for Great Deals on Overseas meds?” being added to folks universal wish lists soon.

Comment by jrconlin — March 26, 2009

Leave a comment

You must be logged in to post a comment.