
The security hole I found on Amazon.com - joshfraser
http://www.onlineaspect.com/2014/06/06/clickjacking-amazon-com/
======
euank
I find it ironic that the wikipedia page on clickjacking [0] lists _exactly
this exploit_ as the example, and yet noone has reported it or fixed it in all
this time.

[0]:
[https://en.wikipedia.org/wiki/Clickjacking#Examples](https://en.wikipedia.org/wiki/Clickjacking#Examples)

Edit: This example was added to the wiki page in December 2009. Relevant link:
[https://en.wikipedia.org/w/index.php?title=Clickjacking&oldi...](https://en.wikipedia.org/w/index.php?title=Clickjacking&oldid=334778176#Example)

~~~
joshfraser
Wow, I hadn't even noticed that.

------
joev_
Unfortunately x-frame-options does not always fix these kinds of problems. If
you can get the user to click more than once on your page, you can open a tab
in the background on the first click (google for popunder.js), and if you can
predict click #2 a split second before it happens (e.g. zalewski's game PoC),
you can bring the popunder to the front and reposition it right under their
cursor.

(note: amazon could fix this by detecting when opener is xdomain and requiring
some minimum number of mouseover events in the page before the button is
clickable).

~~~
erikano
>zalewski's game PoC

I googled this but found nothing relevant. Do you have a link?

~~~
joev_
[http://lcamtuf.coredump.cx/clickit/](http://lcamtuf.coredump.cx/clickit/)

~~~
erikano
Thanks :)

------
jarrett
Clickjacking is especially scary because most web apps are probably
vulnerable. The default httpd.conf that ships with most package managers
doesn't include the X-Frame-Options header. (Perhaps it should.)

Based on my testing, it appears Rails does not add that header either. Do any
other frameworks?

~~~
garethadams
Rails 4 includes that as a default header[1] and has done since August 2012[2]

[1]:
[https://github.com/rails/rails/blob/master/guides/source/sec...](https://github.com/rails/rails/blob/master/guides/source/security.md#default-
headers) [2]:
[https://github.com/rails/rails/commit/2a290f7f7cdf775491eda0...](https://github.com/rails/rails/commit/2a290f7f7cdf775491eda05b3690be6d96cd9bf6)

~~~
jarrett
It appears we're each partially right: If you generated a new Rails app after
August 2012, you get the header by default. If you generated the app before
August 2012, you do _not_ get the header by default.

So PSA: Updating Rails in an existing app does not cause this header to be
added. You must add it yourself in application.rb if it's not already there.
See garethadams' footnote #2 above.

------
0h139
Hope you got a bounty!

~~~
joshfraser
Nope. Not even a t-shirt.

~~~
ohashi
That sucks. It makes responsible disclosure seem marginally less attractive
without any type of reward. I am sure most people would either do it or not,
but there's probably some on the fence. And some people might actually start
looking knowing there was a legitimate reward.

~~~
DougBTX
There's a bit of back and forth between intrinsic and extrinsic motivation,
where an external reward can reduce intrinsic motivation more than it
increases extrinsic motivation. That is, if the reward is known but small,
someone could go form, "I'll submit this since I want to help them out," to,
"I'm not going to work for below minimum wage!"

[http://en.wikipedia.org/wiki/Motivation#Intrinsic_and_extrin...](http://en.wikipedia.org/wiki/Motivation#Intrinsic_and_extrinsic_motivation)

~~~
ohashi
So make it more than minimum wage. Problem solved.

------
fletchowns
Why did it take months for Amazon to fix it?

~~~
joshfraser
I have no idea. Adding a single HTTP header seems simple to me, but I have no
idea what their architecture looks like. It took them an entire month to send
me a "thanks, we're working on it" email and that was only after I followed up
with them.

~~~
mike-cardwell
They probably spent most of the time investigating to make sure that adding
the header wasn't going to break anything.

~~~
joshfraser
Yep, they may have had widgets or legitimate framing that they needed to
handle.

------
id
Blog appears to have some issues:

"Your PHP installation appears to be missing the MySQL extension which is
required by WordPress."

~~~
themodelplumber
Gutsy move, posting to HN about a security vulnerability at Amazon. And using
WordPress to do it. I'll bet this guy loves playing on cliffs, too.

~~~
rabino
Why? You have a lot of ways to hack a WordPress site?

~~~
daeken
> <azonenberg> wordpress is an unauthenticated remote shell that, as a useful
> side feature, also contains a blog

That's an old joke and obviously an exaggeration, but it's not horribly far
off. Wordpress instances fall to attack constantly, due to a combination of
bugs in the base application itself (not terribly common) and extensions (not
just common -- CONSTANT). In terms of breakability, I would rank Wordpress in
the top 1% of applications without a second thought.

~~~
georgestephanis
If you believe you're aware of any security issues with WordPress core itself,
Automattic is running a Bug Bounty program over on HackerOne here:
[https://hackerone.com/automattic/](https://hackerone.com/automattic/) \--
responsible disclosure, bug bounties, and making the web a safer place is
awesome.

~~~
nomedeplume
You really think some piddling Automattic bounty is more valuable than a
WordPress 0day?!?!?!?!? (Conscious punctuation.)

I'm at a loss for words, scaredy-cat.

~~~
notfoss
So you are implying that there are no honest people out there, and on top of
that everyone that finds a vulnerability has the guts and resources to make
money off a 0day bug?

~~~
shiven
What's so hard in making money off 0days? Especially in this day and age of
SilkRoute clones and Cryptocurrencies.

I was under the impression that a big reason why 0day exploits are not popping
up all over is because the folks who discover them can now sell them (for way
more than any bounty program), whereas earlier the only way to monetize was to
use them as advertisement for selling your skills. Instant payment vs
Contractual jobs. I'd say now the 0day vulns end up in the hands of
professionals (criminal networks/state actors) rather than script kiddies.

~~~
judk
More than one person can rediscover an exploit. Paying all of them gets
expensive

------
rhgraysonii
Anyone have a link to a more detailed writeup on exactly how this was
implemented?

~~~
joshfraser
I can post the code. It just doesn't work anymore since they fixed the hole.

Edit:
[https://gist.github.com/joshfraser/819308dbae43ff70d892](https://gist.github.com/joshfraser/819308dbae43ff70d892)

~~~
canadaj
Please do, it would be interesting to see how it works.

------
driverdan
Simple solution: all browsers should have 3rd party cookies disabled,
including iframes.

~~~
mappum
If the fix was that easy, it would have been implemented by now. Doing so
would prevent some useful behavior. For instance, an embeddable Facebook like
button needs to run in an iframe and uses facebook.com cookies to be able to
associate the like with the user.

~~~
junto
Funnily enough, I would see that as a good thing rather than a bad thing!

------
homakov
"Security hole" is a loud title. Is it worth a blog post at all? meh

~~~
joshfraser
I'm a big fan of your research. I debated whether to go with a more specific
title like "Clickjacking with one click purchases on Amazon" but decided to
keep it simple for people unfamiliar with the concept.

~~~
homakov
In fact it _is_ a security issue but IMO you also should have emphasized: 1)
amazon sucks at fixing bugs 2) clickjacking can be a serious issue

------
micahgoulart
> I resisted the temptation to use the exploit to send myself a million
> dollars worth of free Amazon gift cards

Sorry, but that's not how Amazon's "Buy It Now" option works. It sends the
item to the default address on file. So it would not be possible for the
clickjacker to get it mailed to their own address.

~~~
giulianob
Would it be possible to use this to sell items with you as a referral and get
paid commission?

~~~
joshfraser
Yes, but even better, you could list your own products on Amazon and get paid
whatever amount you want. Of course, there's no way to stop the email receipts
from Amazon, but you might be able to get away with it for short period of
time.

