Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

amazon_1

 

Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

Discover:
Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

(1) Vulnerability Description:

Amazon online website has a computer security bug problem. Hackers can exploit it by Covert Redirect attacks. This allow them to get users’ sensitive information by attacks such as phishing.

 

The code programming flaw exists at “redirect.html?” page with “&location” parameter, e.g.

The vulnerability can be attacked without user login. Tests were performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium version 37.0.2062.120 in Ubuntu 12.04 (281580) (64-bit).



 

 

(2) Vulnerability Details:

When a user is redirected from Amazon to another site, Amazon will check parameters “&token”. If the redirected URL’s domain is OK, Amazon will allow the redirection.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

 

One of the vulnerable domain is,
facebook.com

 

“Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website’s membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students. After registering to use the site, users can create a user profile, add other users as “friends”, exchange messages, post status updates and photos, share videos and receive notifications when others update their profiles. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as “People From Work” or “Close Friends”. Facebook had over 1.44 billion monthly active users as of March 2015. Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion.” (Wikipedia – Facebook)

 

 

 

(3) Use one of webpages for the following tests. The webpage address is “http://inzeed.com/kaleidoscope“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

 

 

(4) Vulnerability Disclosure:

The vulnerability was reported to Amazon in the beginning of February 2014. Amazon has patch part of the vulnerability.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s