The security hole I found on

I found a security hole on Amazon last August. While looking at their HTTP headers, I happened to notice that the entire domain was susceptible to clickjacking attacks. If I could trick you into clicking anywhere on a webpage I controlled, I could get you to buy any product that’s available for sale on Amazon. By the way, that includes any fake products that I added to Amazon myself. For the hack to work, you needed to be signed into your Amazon account and have one-click purchasing turned on. I created a working proof-of-concept that looked like this:


Clicking either button caused an instant purchase of the movie Click (get it?). I resisted the temptation to use the exploit to send myself a million dollars worth of free Amazon gift cards, and instead responsibly disclosed it to the Amazon security team. It took them months to fix it, but the security hole has finally been closed using the x-frame-options header that I recommended.

This hack is classic clickjacking. I created a transparent iframe containing a product page on that had been carefully positioned so when you think you’re clicking on my page, you’re actually clicking the “Buy now” button on their site instead. Here’s the code for the no longer working proof of concept.

  • Anon

    Did they give you a reward for finding it?

  • Anon

    And you’ve just confirmed why I do not have, and never will enable, one-click purchasing on Amazon.

  • PalpablePsyonics

    It's rather interesting that larger companies don't have an individual dedicated to specific tasks such as gradual security chechecks. An example list of workflow would be as follows, for an individual like this:

    -Each time something is updated and/or altered that affects the live version, have a hired security technician spend time chechecking possible intrusions etc.

    Part of their job would be searching and storing information of various exploits and their explanations, and studying them to learn the thought processes that cause these vulnerabilities. Part of their job would be to test the website every so often, to check if certain code and/or input is vulnerable. Another part of their job would be implementing temporary and permanent fixes to various possibilities of future vulnerabilities, as it seems some vulnerabilities often repeat themselves, but in different forms.

    Then again getting businesses to actually hire people is like pulling nose hairs from a Dragon. (Just saying, if they had nose hairs that's what it'd be like.)

  • peroyotambien

    Superficially, that exploit is actually to Amazon's benefit. More products sold means more money for Amazon.

    Of course, the ensuing customer complaints and hooplah would more than negate that benefit. Did they compensate you?

  • Diego Plentz

    I hope that they paid a good reward.

  • Jim Ciallella

    Bunch of amateurs over there at Amazon. Good find.