亚马逊 隐蔽重定向 (Covert Redirect) 基于 Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com 公开重定向 (Open Redirect) 计算机网络安全漏洞
Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect
Domains:
http://www.amazon.com/
All kindlepost.com omnivoracious.com carlustblog.com are websites belonging to Amazon.
Vulnerabilities Description:
Amazon has a security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks.
When a user is redirected from amazon to another site, amazon will check a variable named "token". Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.
The vulnerabilities can be attacked without user login. Tests were performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium (version 37.0.2062.120) in Ubuntu 12.04 (281580) (64-bit).
Use a website for the following tests. The website is "http://www.diebiyi.com/articles". Suppose this website is malicious,
Discover:
Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
POC Video:
https://www.youtube.com/watch?v=UE_-AdA-zpQ&feature=youtu.be
Blog Details:
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirect-based-on-kindle.html