Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Anonymous-hackers

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect Web Security Vulnerabilities

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden." (Wikipedia)

 

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more."

“Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information."

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines."

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

 

When a user is redirected from amazon to another site, amazon will check a variable named “token". Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is “http://www.diebiyi.com/articles“. Suppose this website is malicious,

 

 


(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

Poc:

 

 

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

POC:

 

 

kindlepost_com

 

 

 

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(2.2) Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

POC:

 

 

omnivoracious_com

 

 

 

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(3.2) Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

POC:

 

 

carlustblog_com

 

 

 

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/23
http://lists.openwall.net/full-disclosure/2015/01/12/2
http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/
https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1
http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429
http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/
https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/
http://marc.info/?l=full-disclosure&m=142104346821481&w=4
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec
http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/

Attachments area
Preview YouTube video Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Web Security Vulnerabilities

information-technology

About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Security Vulnerabilities

 

Vulnerability Description:
About.com all “topic sites" are vulnerable to XSS (Cross-Site Scripting) and Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.com main pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS and Iframe Injection attacks. In fact, for about.com’s structure, the main domain is something just like a cover. So, very few links belong to them.

 

Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.

 

 

Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.

 

For the Iframe Injection vulnerability. They can be used to do DDOS (Distributed Denial-of-Service Attack) to other websites, too.

Here is one example of DDOS based on Iframe Injection attacks of others.
http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

 

In the last, some “Open Redirect" vulnerabilities related to about.com are introduced. There may be large number of other Open Redirect Vulnerabilities not detected. Since About.com are trusted by some the other websites. Those vulnerabilities can be used to do “Covert Redirect" to these websites.

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.

 

about_quesion_security_xss1

 

 

Vulnerability Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@Justqdjing)
http://www.tetraph.com/wangjing

 

 

(1) Some Basic Background

 

“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month." (The New York Times)

 

“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its “topic sites," of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation, and, for March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month. As of August 2012, About.com is the property of IAC, owner of Ask.com and numerous other online brands, and its revenue is generated by advertising." (Wikipedia)

 

“As of May 2013, About.com was receiving about 84 million unique monthly visitors." (TechCrunch. AOL Inc.)

 

“According to About’s online media kit, nearly 1,000 “Experts" (freelance writers) contribute to the site by writing on various topics, including healthcare and travel." (About.com)

 

 

(1.2) Topics Related to About.com
“The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information." (azlist.about.com)

 

About.com – Sites A to Z

Number of Topics

A: 66

B: 61

C: 118

D: 49

E: 33

F: 57

G: 39

H: 48

I: 32

J: 15

K: 13

L: 36

M: 70

N: 26

O: 23

P: 91

Q: 4

R: 32

S: 104

T: 47

U: 12

V: 9

W: 43

X: 1

Y: 4

Z: 1

SUM: 1039

Reference: azlist.about.com/

 

In fact, those are not all topics of about.com. Some of the topics are not listed here such as,
http://specialchildren.about.com

 

So, there are more than 1000 topics related to about.com.

 

 

(1.3) Result of Exploiting XSS Attacks
XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

 

Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results:

“Identity theft

Accessing sensitive or restricted information

Gaining free access to otherwise paid for content

Spying on user’s web browsing habits

Altering browser functionality

Public defamation of an individual or corporation

Web application defacement

Denial of Service attacks (DOS)

" (Acunetix)

 

 

(1.4) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities
“In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame; and then JavaScript executing in the attacker’s page steals data from the third-party page." (OWASP)

 

“XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw." (OWASP)

 

 

(1.5) Basic of Open Redirect (Dest Redirect Privilege Escalation) Vulnerabilities
“An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it." (OWASP)

Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust."

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the following web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

 

 

 

(2) About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Scripting) Security Attacks

 

Vulnerability description:

A method was found to attack users of About.com based XSS attacks.

All links under the topics of about.com can be used for this attack.

Just attach “/lr/" to any About.com’s sub-domains. Then attach “any codes + sciript" or attach “script" code directly is OK. The structure is “http://subdomain.about.com/lr/*/script_code/*“.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

 

 

 

about_all_xss_1

 

about_all_xss_2

 

about_all_xss_4

 

 

POC Codes, e.g.

/"><svg/onload=alert(/justqdjing/)>

http://ipod.about.com/lr/ipad_how-tos/9033“><svg/onload=alert(/justqdjing/)>

http://dc.about.com/lr/shopping/a/BlkFriday.htm/“><svg/onload=alert(/justqdjing/)>

 

 

 

(3) About Group About.com Main Page’s Search Field XSS (Cross-Site Scripting) Security Vulnerabilities

 

Vulnerability description:
The web application About.com online website has a security bug problem. It can be exploited by XSS attacks.

 

 

The code programming flaw occurs at about.com main page’s search field, e.g.
http://www.about.com/?q=googleandroidsystem

 

 

about_search_xss1




POC Codes, e.g.

“–/>"><img src=x onerror=prompt(/justqdjing/)>

http://www.about.com/?q=“–/>"><img src=x onerror=prompt(/justqdjing/)>

 

 

 

(4) About Group About.com All Topics (At least 99.88% links) Vulnerable to Iframe Injection (Cross Frame Scripting) Security Attacks

 

Vulnerability description:
About Group has a security problem. It can be exploited by Iframe Injection (Cross Frame Scripting) attacks.

 

The vulnerability occurs at about.com “offsite.htm" page with “zu" parameter, e.g.

 

Use “http://whitehatpost.blog.163.com/" for the following test.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

about_inframe_injection

 

about_international_iframe_jnjection

 

 

Vulnerable URLs:

 

 

 

(5) About (about.com) Open Redirect Multiple (Dest Redirect Privilege Escalation) Security Vulnerabilities

About Group online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Use one of webpages for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope/“. Suppose that this webpage is malicious.

 

Vulnerable URL 1:

POC:

 

Vulnerable URL 2:

POC:

 

Vulnerable URL 3:

POC:

 

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2015/Feb/9
http://lists.openwall.net/full-disclosure/2015/02/02/4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01647.html
http://securityrelated.blogspot.com/2015/02/about-group-aboutcom-all-topics-at_37.html
http://tetraph.com/security/xss-vulnerability/about-group-about-com-all-topics-at
http://webcabinet.tumblr.com/post/118901412227/securitypost-about-group-99-88-xss
http://xingzhehong.lofter.com/post/1cfd0db2_6f05d60
https://hackertopic.wordpress.com/2015/02/03/about-group-xss-xfs/
http://itinfotech.tumblr.com/post/120845059171/about-group-xss-xfs
http://itprompt.blogspot.com/2015/06/about-group-xss-xfs.html
https://plus.google.com/u/0/100242269120759811496/posts/T3SbFnTZGAo
https://itinfotechnology.wordpress.com/2015/03/24/about-group
https://www.facebook.com/websecuritiesnews/posts/803853789734793
https://twitter.com/essayjeans/status/607137800383655936
http://tetraph.blog.163.com/blog/static/2346030512015566409245/
https://www.facebook.com/pcwebsecurities/posts/687872271358693
http://www.inzeed.com/kaleidoscope/web-security/about-group-xss-xrf-open-redirect/
http://itsecurity.lofter.com/post/1cfbf9e7_733e1e5
https://webtechwire.wordpress.com/2015/02/12/about-xss-xfs/

 

 

 

 

Attachments area
Preview YouTube video About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Sciripting)

About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Sciripting)
Preview YouTube video About Group About.com Main Page’s Search Field XSS (Cross-Site Scripting) Security Vulnerabilities

About Group About.com Main Page’s Search Field XSS (Cross-Site Scripting) Security Vulnerabilities
Preview YouTube video About Group All Topics (At least 99.88% links) Vulnerable Iframe Injection (Cross Frame XFS) Attack

About Group All Topics (At least 99.88% links) Vulnerable Iframe Injection (Cross Frame XFS) Attack

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

new-type-of-phishing-attack-goes-after-your-browser-tabs-86b683f537

 

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

 

Domain:
http://cnn.com

 

“The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States.” (Wikipedia)

 

Discovered and Reported by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

Vulnerability Description:
CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

 

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities.

 

According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

 

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN’s website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

 

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.

 

 

<1> “The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.”

 

cnn_open_redirect_complain_meitu_1

Figure from ehackingnews.com

 

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

 

 

(1) CNN (cnn.com) Travel-City Related Links XSS (cross site scripting) Web Security Bugs

 

Domain:
travel.cnn.com/

 

Vulnerability Description:
The programming bug flaws occur at “/city/all” pages. All links under this URL are vulnerable to XSS attacks, e.g

 

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks

 

The code programming flaw can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.

 

cnn_travel_xss

 

PoC:

http://travel.cnn.com/city/all/all/tokyo/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

http://travel.cnn.com/city/all/all/bangkok/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

 

 

(2) CNN cnn.com ADS Open Redirect Web Security Bug

 

Domain:
ads.cnn.com

 

Vulnerability Description:
The programming code flaw occurs at “event.ng” page with “&Redirect” parameter, i.e.

 

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

(2.1) Use the following tests to illustrate the scenario painted above.

 

The redirected webpage address is “http://webcabinet.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

Since CNN is well-known worldwide, this vulnerability can be used to do “Covert Redirect” attacks to other websites.

 

Those vulnerabilities were reported to CNN in early July by Contact from Here. But they are still not been patched yet.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Dec/128
http://lists.openwall.net/full-disclosure/2014/12/29/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1395
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://securitypost.tumblr.com/post/107868680057/ithut-cnn-cnn-com-travel
http://ittechnology.lofter.com/post/1cfbf60d_5500df0
http://ithut.tumblr.com/post/120833062743/cnn-xss-url-redirection-bug
http://www.tetraph.com/blog/it-news/cnn-xss-url-redirect-bug/
https://biyiniao.wordpress.com/2015/01/08/cnn-xss-open-redirect-bug/
http://whitehatpost.blog.163.com/blog/static/24223205420155613753998/
https://plus.google.com/u/0/+wangfeiblackcookie/posts/bFkukxiUfXK
https://www.facebook.com/permalink.php?story_fbid=674936469318135
http://tetraph.blogspot.com/2015/06/cnn-xss-redirect-bug.html
http://diebiyi.com/articles/news/cnn-xss-url-redirect-bug/
https://twitter.com/yangziyou/status/607060937309159425
https://redysnowfox.wordpress.com/2014/12/31/cnn-xss-url-redirect-bug/
https://www.facebook.com/permalink.php?story_fbid=1043534509019886
http://whitehatpost.lofter.com/post/1cc773c8_7338196
http://securityrelated.blogspot.com/2014/12/cnn-cnncom-travel-xss-and

Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

amazon_1

 

Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden." (Wikipedia)

 

Discover:
Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

(1) Vulnerability Description:

Amazon online website has a computer security bug problem. Hackers can exploit it by Covert Redirect attacks. This allow them to get users’ sensitive information by attacks such as phishing.

 

The code programming flaw exists at “redirect.html?" page with “&location" parameter, e.g.

The vulnerability can be attacked without user login. Tests were performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium version 37.0.2062.120 in Ubuntu 12.04 (281580) (64-bit).



 

 

(2) Vulnerability Details:

When a user is redirected from Amazon to another site, Amazon will check parameters “&token". If the redirected URL’s domain is OK, Amazon will allow the redirection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

One of the vulnerable domain is,
facebook.com

 

 

 

(3) Use one of webpages for the following tests. The webpage address is “http://inzeed.com/kaleidoscope“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

 

 

(4) Vulnerability Disclosure:

The vulnerability was reported to Amazon in the beginning of February 2014. Amazon has patch part of the vulnerability.