Settings
Language

Country

Framework language
Choose the country,language and framework settings
Privacy
HTTPS + POST : An encrypted SSL(HTTPS) connection ensuring your privacy. The search variables like keywords, etc. are encrypted and masked.
HTTPS + GET : The data transfer is enrypted but search variables displayed in the URL.
HTTP + GET : Non encrypted datatransfer
SSL key exchange / Cipher
World Wide Web:
primary
secondary
Images:
primary
secondary
Thumbnails
Count of search results per page
Content filter

Violence
Filter adult material


Parental lock: with setting a password you are activating the parental lock. You are able to reset it by typing in the correct password clicking reset and saving the settings. To use the child protection properly you need to create a separate system account for your child with no write access to cookies

Length of descriptions
Activate social platform plugins
With activating this option social plugins embed to this website will get loaded automatically. You will automatically accept all terms of used social plugin hosters by setting activated. Please reconsider our terms and links to related terms and datasecurity for more information
Advertisements
Color style
Save Settings
Close Settings

Blog

Amazon Firesale Exploit
Translation in de

Amazon Firesale Exploit - Amazon was threatened to be sold out by bot networks without selling any item!!!

This was confirmed by Amazon's Security with the case number RM135444587.

BUG/EXPLOIT: Vendors pushing up their offers, today's deals and special offers
by adding their goods to fake accounts' baskets.

DESCRIPTION: Several vendors at Amazon are using fake accounts to push up
their offers and special offers adding those products to new accounts' baskets
using different IPs by VPN or proxy connections.
Accessing Amazons Vendor Items with an automated algorithm and adding Items to
baskets works like a charm (I gave a demonstration).

RISKS: This could be done even automated by browser emulations or algorhitms
having javascript interpreters implemented. With the additional use of proxies
and/or VPN connections this will look like real user activity.

ATTACK VEKTORS: - Target: WEB API of Amazon
- Access: Access by automated algorithms on Port 80/443
- Weakness Used: Instant Account Creation (no validation
required)
- Attack Method:
1) Find a seller or any seller on Amazon
2) Add their product(s) to a shopping cart
3) Do not purchase the product(s), leave it in the cart
4) repeat steps 2 and 3 until the company has almost no
items left
5) This offer will be now listed on top.

Or:
1) Find a seller or work or any seller or any work on
Amazon
2) Add their product(s) to a shopping cart
3) Do not purchase the product(s), leave it in the cart
4) repeat steps 2 and 3 until the company has no inventory
that is not marked as in someone's cart
5) A legitimate buyer now has to go to a
different seller to buy the product

-!!!ATTACK IMPACT!!!:
-This way 1 person could easily make a Vendor sold out/or
push it up to be on top of the list due to Amazon's item ranking method.
-1 Person using a big network / many nodes could easily make
Amazon completely sold out!

ATTACK IMPACT:
This Attack could easily ruin the whole income of Amazon and it's vendors.

LEGAL STATUS:This is unfair management and contradicts to the laws for fair
competition in a context of (e)commerce.
According to German/European law Amazon can be hold liable for those fraud
account activities. This is the case of negligence for letting fraud activity
reach out to users which did not even register at Amazon but will receive
emails. This is also a violation according to pretending of false facts.

HOW TO REPRODUCE:
Create several accounts using different ips or not and start adding products
especially special offers. Creating accounts fake accounts is made easy since
you are logged in after registration without any validation process. The
attacker can give any email address even a not self owned one and will have
access to a fake account for adding items to it's basket. Proxifying or using
several VPN connections per fake client will let this look like real user
activity. After ~15 minutes the basket will be refreshed if the session is not
refreshed by user activity. Items will be added to the basket again to keep the offer on
top or sold out.

HOW TO FIX:
- Purge not by Email and/or mobile phone confirmed accounts.
- First check for validity before letting new users log in.
- add email, mobile phone, address or passport/personal id validations for
registering process.
- reject darknets like tor

-> This will not just prevent the loss of income but also prevent Amazon of
beeing held repsonsible in some countries for careless forwarding of fraud
activity to customers or partners/vendors harming their income.

BUGFIX IMPACT ON User experience:
- adding an email validation linking to a instant login with authenticated
email will not impact the users' experience negatively.
- Just decreasing the basket purge time would harm the user's experience.

Please add a note for your management:
In my eyes this report is worth a bug bounty since this exploit could ruin not
only Amazon but also vendors or partners which would react like putting oil in
the fire. Imagine the worst case scenario: Amazon beeing sold out without
having sold an item a day.

... How surprising Amazon is not giving any bountys? Not even for saving them their main source for financial income?! If I was a manager of a Amazon or a Amazon local branch - I would definitively reconsider this! This would have helped many other people and not only Amazon associates!

Posted at ( updated at by b4sh )
in Security 

Tags:
Activate Facebook
Comments