lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <15450f9876c.cf78236760865.1693477272535196770@lockbrowser.com>
Date: Mon, 25 Apr 2016 22:10:11 -0700
From: David Leo <david.leo@...kbrowser.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Request For Comment: Possible Flaw of Bypassing CAPTCHA in AWS
 Login?

The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image below").

And I accidentally noticed this feature can be easily bypassed:

MY SYSTEM
Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting
Chromium 46 - not the latest
"US-WEST-2" EC2 Instance as proxy - always the same IP

MY STEPS

1. Use Chromium to visit https://console.aws.amazon.com/
2. Put correct email and correct password there, and sign in
3. CAPTCHA is required

4. Clear cookie cache etc in Chromium
5. Use Chromium under "Lock Browser"(lockbrowser.com) with "txt/https-whitelist.txt" configured as the following:
----------
amazon.com
d3rrzw75sdtfe5.cloudfront.net
d3a94n0r6dqtjm.cloudfront.net
d2q66yyjeovezo.cloudfront.net
d3rn69q7afuxu6.cloudfront.net
d257l1zb7u5fh9.cloudfront.net
----------
6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because CSS etc fails to load.
7. Put correct email and correct password there, and sign in
8. CAPTCHA is NOT required

ABOUT
I noticed this weird thing because I'm super lazy - don't add domains to whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I contacted Amazon, and they said it's not a bug.

REQUEST FOR COMMENT
1. Can you reproduce this?
2. Is this thing a bug or not?

Kind Regards,


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists