Amazon Wish Lists Are Dreadfully Insecure

In: web resources

27 Mar 2009

Kent Brewster couldn’t hold back anymore and posted on a vulnerability on the Amazon Wish List system that means that anyone can play with your wish lists. You can imagine people “having fun” and adding a huge number of porn elements to your setup.

Kent tells us:

Old friends may remember the How to Tell if a User is Signed In to Service X series, which ended last year around this time. As you can see from the comments in Patching Privacy Leaks, I advised users to sign out of Amazon.com on 17 October 2008, but did not say why.

Six months and multiple warnings later, nothing’s been done.

If you are signed in to the United States version of Amazon.com and have a wish list, the button on this site should add an item. You’ll see an alert with a success or failure message, and then this paragraph will change to tell you what happened and where to go to see it. If you’re using Firefox or IE, we will be able to determine your Amazon login status, by watching onError. If all else fails, we will assume after a few seconds of inactivity that something went wrong.

Kent then shows us how it is simply done:

By examining the source of Amazon’s Universal Wish List toolbar bookmarklet, we find something suspicious: an HTTP GET that seems to modify data on behalf of the signed-in Amazon user. This is trouble, since Amazon is depending only on browser cookies to verify user identity. Anyone can create an URL, like this:


http://www.amazon.com/gp/wishlist/add/ref=wl_bm-add

?submit=1&operation=add&mode=JS&priceInput=&id=
&imageUrl.0=http%3A%2F%2Fi2.ytimg.com%2Fvi%2FE62DXiL_8Vs%2Fdefault.jpg
&name.0=Raccoon%20Party
&itemComment.0=amazon%20wishlists%20are%20dreadfully%20insecure
&productUrl.0=http%3A%2F%2Fwww.youtube.com%2Fwatch%21v%3eDeQ1DN7n2Eg

… and fire it off on behalf of the signed-in user. Here I’m being polite and requiring the user to click a button, but it would be trivial to list it as the SRC attribute of a SCRIPT or IMG tag.

Adding a bunch of porn is bad, but what if we put”Pragmatic Ajax” in from Ajaxian? Or SEO sneakiness?

Comment Form

About this blog

This blog delivers stylish and dynamic news for designers and web-developers on all subjects of design, ranging from: CSS, Ajax, Javascript, web design, graphics, typography, advertising & much more. Our goal is to help you communicate effectively on the web with an engaging website or functional interface.

Copyright © 2007 - Programming Blog - is proudly powered by WordPress | Log in

Compositio Theme is created by: Design Disease brought to you by PremiumThemes.com