Well, it seems that someone is claiming to be the guy behind this (you'll get a warning about adult content; it isn't NSFW, but there is some language that I'd imagine some companies would not appreciate). What makes this guy look different from the run of the mill lolz i pwnd ur mom crowd is that he offers up specific details, and shell code he claims he used in the escapade:
So I script some quick bash.Well, now. I haven't tried this, but it seems plausible. It's also plausible that Amazon doesn't look for this sort high-rate incoming requests from the same source.
#!/bin/bash
let count = 1
while true; do
links -dump 'http://www.amazon.com/s/qid=0/?ie=ASCII&rs=1000&keywords=[redacted to keep my family-friendly "G" rating - ed.]&rh=n%3A!1000%2Ci%3Astripbooks%2Ck%3A[redacted here, too]&page= '`echo $count`|grep \/dp\/ >> /tmp/amazon
((count++))
done
There's some quick code to grab all the [redacted] metadata-tagged books on amazon. Then I pull out all the IDs of the given books from those URLs:
cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//
and I have a neat little list of the internal product ID of every [redacted] book on Amazon.
And now for the magic security-fu:
Now from here it was a matter of getting a lot of people to vote for the books. The thing about the adult reporting function of Amazon was that it was vulnerable to something called "Cross-site request forgery'. This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in. So now it is a numbers game.Hmmm. The second bit smells fishy, although it could be true. But the first - aye, now there's the rub. Cross Site Request Forgery (XSRF, and it's cousin, Cross Site Scripting) is an attack where carefully chosen malicious data is sent to a web server, as user input. The assumption is that the web server coders were lazy (or dumb) and didn't check the incoming data for malicious code. I've posted this before, but it really gives you the flavor of what happens when you don't check (validate) user input:
I know some people who run some extremely high traffic (Alexa top 1000) websites. I show them my idea, and we all agree that it is pretty funny. They put an invisible iframe in their websites to refer people to the complaint URLs which caused huge numbers of visitors to report [redacted] items as inappropriate without their knowledge.
If there's a XSRF vulnerability, it would very likely be on an infrequently used page, like the form for reporting abuse. More important forms would get much more attention from the developers; the security ugliness always hides in little-used corners of the application.
Now, about the "I know people with high traffic sites" - it doesn't matter. You could combine this with a Cross Site Scripting attack against a vulnerable high traffic site and get the same thing as the owner embedding your iframe there. You can take my word for it, or watch this geeky-but-painless demo on how it works. Go ahead - I'll wait.
So, as the Mythbusters would say, "plausible." So why's this interesting, other than another big name got pwned? Resource poisoning. Let me explain.
A very old attack technique is called "Denial of Service" (DoS) - basically trying to make a service unavailable or unreliable. If someone were to dump a tanker truck load of motor oil on the beltway around 6:00 AM, the police would have to block off the highway for safety reasons, and folks would have an interesting commute. This is the obvious (and uninteresting) form of DoS. What if instead someone switched all the road signs, so that traffic to Chicago were sent down the road towards Albuquerque?
This is called "Resource Poisoning", and is intended to get the regular consumers of a resource to mistrust it. To date, this been a theoretical risk, only discussed by security geeks. At least, I can't remember another example of it, and I'm pretty darned security geeky.
Amazon has been a game changer, in part because it has tapped into "the wisdom of crowds". People who bought foo also bought bar. The crowd's preferences are a valuable resource, and Amazon was one of the first to harness that.
So what if someone could poison that resource? Hmmmm.
So is this correct? Did this guy pwn Amazon? Quite frankly, I don't know. I do know that Amazon has very good security. However, this story has the ring of truth to it - there are an awful lot of different parts of this story that sure sound like they could be true.
Any web site that lets users interact like this is vulnerable to resource poisoning. The next few years could be very interesting indeed.
No comments:
Post a Comment