
Abusing Amazon‘s Look Inside feature to leak unreleased content - justMaku
https://justmaku.org/2018-06-19-amazon-leaking-ebooks
======
warent
> _Disclaimer: Amazon doesn 't have a bug bounty program and didn't offer
> anything other than thanks and gratefulness for bringing the vulnerability
> to their attention. Blizzard Entertainment (as the copyright holder for the
> book I was testing with) has also been notified of this vulnerability and
> has offered a small gift but never fulfilled that promise._

I'm not surprised Amazon would pay with nothing more than a nice email. What's
more surprising is that Blizzard would give the author the shaft like that.
They're usually pretty good about this sort of thing.

~~~
clubm8
Then next time someone finds an Amazon bug, they should release it 0-day on
their blog for the lulz^H^H^H^H credit.

Or sell it to someone who can make use of it.

It's incredibly entitled for a company to not run a bug bounty program then
complain when people drop 0-days on their github blogs.

~~~
StavrosK
If you find that someone forgot their car door open, do you deserve money for
not telling thieves where you can find a car with an open door?

Bug bounties are a good incentive for hardening your security, but is
exploiting flaws the moral thing to do by default? Does there need to be a
monetary incentive for people to do the right thing?

I run a service that has a few users and makes about $200/mo. Someone once
emailed me that they found a bug and whether I run a bug bounty program. I
told them I couldn't really afford one and they never replied. Are they now
morally justified to publicize the flaw?

~~~
bfrydl
Your analogy has cause and effect reversed. The correct analogy is that if I
know there is a reward for telling people their car doors are open, I will go
around town specifically looking for open car doors. With no reward, I'm just
going to go about my life not even looking at car doors.

Your service may be too small for this, but a company like Amazon typically
saves money overall by running a bug bounty program because uncaught bugs can
be extremely expensive.

~~~
StavrosK
The GP said "the next time someone finds a bug", ie the assumption is that a
bug has been found. They didn't talk about whether bugs would be found or not.

------
alangpierce
Interesting, the "stitch together a bunch of substrings of a large string"
task also comes up in DNA sequencing: the physical process basically randomly
samples a bunch of snippets that are each a few hundred bases long, and you
need to use software to detect overlaps combine them into one long sequence.
It's a pretty heavily-researched computational problem, I believe. The
author's simple algorithm seems to have worked, but I guess the DNA case is
harder because you don't really have the "page number", you have a lot more
snippets to combine, and snippets may have errors, with more errors occurring
toward the ends.

Some information on the topic:
[https://en.wikibooks.org/wiki/Next_Generation_Sequencing_(NG...](https://en.wikibooks.org/wiki/Next_Generation_Sequencing_\(NGS\)/De_novo_assembly)

------
userbinator
The use of that feature to extract significant amounts of content was noticed
over a decade ago by Fravia and his followers:

[http://search.lores.eu/books.htm](http://search.lores.eu/books.htm) (near
bottom of page)

Of course, back then it was the norm to publish this information in a place
for those seeking information or otherwise "keep it tight", and not instead
let them tighten the nooses around our necks by instantly snitching to the
company for the hope of a paltry monetary reward...

~~~
bfrydl
I think you should consider that some people need money more than a goofy
clandestine comradery with other “information seekers” on the internet and
also that bug bounties frequently exceed “paltry.”

------
chadlavi
This is sort of tangential, but: it doesn't make any sense that there's OCR
going on in that process. Surely Amazon could just ask for the digital version
of the book as a requirement for SearchInside participation?

~~~
hvindin
Not sure how the specifics of this works on amazon but when I read it
initially I assumed the results were returned as images which seems to make a
little bit more sense, although possibly not that much.

Although reading it again it does seem to be quite unclear...

------
ars
What was the fix? The article doesn't say.

