Critical security vulnerability at Amazon fixed

ronjor · Jan 18, 2013

A cross-site scripting vulnerability allowed access to session cookies.

Online merchant Amazon has fixed a critical security vulnerability on its web site that allowed access to user accounts. Amazon fixed the problem immediately after The H's associates at heise Security informed the company. The issue seems to have affected all of Amazon's web sites for individual countries around the world.
Click to expand...

http://www.h-online.com/security/ne...ty-vulnerability-at-Amazon-fixed-1787328.html

Cudni · Jan 19, 2013

Not nice. Good it was fixed quickly

Cimmerian · Jan 19, 2013

Cudni said:

Not nice. Good it was fixed quickly
Click to expand...

Ditto that..we use Amazon quite a bit.

Rmus · Jan 19, 2013

It appears that you would have to be on the customer forum to encounter the exploit:
The exploit was trivial. All that was required was to make a post in the customer forum with a specially formatted title along the lines of
Code:
"><script>alert('XSS')<script>. 
Since Amazon didn't sufficiently check the post title, the JavaScript code in the title was then embedded in some of the forum's subpages and executed by browsers when those pages were opened.
Click to expand...
I've been an Amazon customer for *many* years and never knew there was a forum.

How do you get to it? I don't see it linked anywhere from their menu...

----
rich

Cudni · Jan 19, 2013

Rmus said:

How do you get to it? I don't see it linked anywhere from their menu...

----
rich
Click to expand...

When you mentioned it, it made me look and

http://www.amazon.co.uk/forum/amazon

Rmus · Jan 19, 2013

Cudni said:

When you mentioned it, it made me look and

http://www.amazon.co.uk/forum/amazon
Click to expand...

How did you know the URL syntax?

I searched on Amazon for "customer forums" and got a list of products, none of which linked to a forum.

----
rich

Log in or Sign up

Critical security vulnerability at Amazon fixed

ronjor Global Moderator

Cudni Global Moderator

Cimmerian Registered Member

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

Log in or Sign up

Critical security vulnerability at Amazon fixed

ronjor Global Moderator

Cudni Global Moderator

Cimmerian Registered Member

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

Useful Searches