Thursday, March 26th, 2009
Kent Brewster couldn’t hold back anymore and posted on a vulnerability on the Amazon Wish List system that means that anyone can play with your wish lists. You can imagine people “having fun” and adding a huge number of porn elements to your setup.
Kent tells us:
Old friends may remember the How to Tell if a User is Signed In to Service X series, which ended last year around this time. As you can see from the comments in Patching Privacy Leaks, I advised users to sign out of Amazon.com on 17 October 2008, but did not say why.
Six months and multiple warnings later, nothing’s been done.
If you are signed in to the United States version of Amazon.com and have a wish list, the button on this site should add an item. You’ll see an alert with a success or failure message, and then this paragraph will change to tell you what happened and where to go to see it. If you’re using Firefox or IE, we will be able to determine your Amazon login status, by watching onError. If all else fails, we will assume after a few seconds of inactivity that something went wrong.
Kent then shows us how it is simply done:
By examining the source of Amazon’s Universal Wish List toolbar bookmarklet, we find something suspicious: an HTTP GET that seems to modify data on behalf of the signed-in Amazon user. This is trouble, since Amazon is depending only on browser cookies to verify user identity. Anyone can create an URL, like this:http://www.amazon.com/gp/wishlist/add/ref=wl_bm-add ?submit=1&operation=add&mode=JS&priceInput=&id= &imageUrl.0=http%3A%2F%2Fi2.ytimg.com%2Fvi%2FE62DXiL_8Vs%2Fdefault.jpg &name.0=Raccoon%20Party &itemComment.0=amazon%20wishlists%20are%20dreadfully%20insecure &productUrl.0=http%3A%2F%2Fwww.youtube.com%2Fwatch%21v%3eDeQ1DN7n2Eg
… and fire it off on behalf of the signed-in user. Here I’m being polite and requiring the user to click a button, but it would be trivial to list it as the SRC attribute of a SCRIPT or IMG tag.
Adding a bunch of porn is bad, but what if we put”Pragmatic Ajax” in from Ajaxian? Or SEO sneakiness?
Posted by Dion Almaer at 2:44 am