lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <15450f9876c.cf78236760865.1693477272535196770@lockbrowser.com> Date: Mon, 25 Apr 2016 22:10:11 -0700 From: David Leo <david.leo@...kbrowser.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Request For Comment: Possible Flaw of Bypassing CAPTCHA in AWS Login? The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image below"). And I accidentally noticed this feature can be easily bypassed: MY SYSTEM Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting Chromium 46 - not the latest "US-WEST-2" EC2 Instance as proxy - always the same IP MY STEPS 1. Use Chromium to visit https://console.aws.amazon.com/ 2. Put correct email and correct password there, and sign in 3. CAPTCHA is required 4. Clear cookie cache etc in Chromium 5. Use Chromium under "Lock Browser"(lockbrowser.com) with "txt/https-whitelist.txt" configured as the following: ---------- amazon.com d3rrzw75sdtfe5.cloudfront.net d3a94n0r6dqtjm.cloudfront.net d2q66yyjeovezo.cloudfront.net d3rn69q7afuxu6.cloudfront.net d257l1zb7u5fh9.cloudfront.net ---------- 6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because CSS etc fails to load. 7. Put correct email and correct password there, and sign in 8. CAPTCHA is NOT required ABOUT I noticed this weird thing because I'm super lazy - don't add domains to whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I contacted Amazon, and they said it's not a bug. REQUEST FOR COMMENT 1. Can you reproduce this? 2. Is this thing a bug or not? Kind Regards, _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists