Posts tagged ‘hacks’

The security hole I found on

I found a security hole on Amazon last August. While looking at their HTTP headers, I happened to notice that the entire domain was susceptible to clickjacking attacks. If I could trick you into clicking anywhere on a webpage I controlled, I could get you to buy any product that’s available for sale on Amazon. By the way, that includes any fake products that I added to Amazon myself. For the hack to work, you needed to be signed into your Amazon account and have one-click purchasing turned on. I created a working proof-of-concept that looked like this:


Clicking either button caused an instant purchase of the movie Click (get it?). I resisted the temptation to use the exploit to send myself a million dollars worth of free Amazon gift cards, and instead responsibly disclosed it to the Amazon security team. It took them months to fix it, but the security hole has finally been closed using the x-frame-options header that I recommended.

This hack is classic clickjacking. I created a transparent iframe containing a product page on that had been carefully positioned so when you think you’re clicking on my page, you’re actually clicking the “Buy now” button on their site instead. Here’s the code for the no longer working proof of concept.


Having fun with Proximity for mac

One of the things I love about my mac is how easy it is to hack things to work the way I want.  I’m always amazed by how many easy hooks there are into system settings and native applications.

I recently stumbled upon a neat application called Proximity. Proximity detects when a selected device (cell phone, wireless mouse, etc) comes in or out of bluetooth range and executes selected scripts. Since my iPhone is almost always with me, I decided to write a couple scripts to password protect my laptop when my iPhone isn’t around, and unlock it when I return. As an added bonus, my code also mutes my audio and sets an away message on iChat when I leave. It then sets my status to “available” when I return.

The cool thing about this is that it keeps my laptop secure without having to mess with a screen-saver password all the time. I can think of a lot of other uses for this technology. For example, I wonder how many people would like to have a notification pop up when their boss is about to walk into the room, or just have a bluetooth device automatically sync when it’s in range of their computer. I should add that Bluetooth detection has its limitations, particularly because the underlying hardware makes it tough to detect realtime changes causing a significant lag. You also don’t have anyway to detect the strength of the signal to get any sense of how far away the device is from your computer — it’s entirely binary — the device is on and in-range or it’s not. That said, it’s still a powerful demonstration of what can be accomplished with technology when you start getting creative.

Here are my scripts. First, the one that gets executed whenever my iPhone goes out of range:

-- mute volume
set volume with output muted

-- set status to away
tell application "iChat"
    set status to away
end tell

-- turn on the screen saver password
tell application "System Events"
    tell security preferences
        set properties to {require password to wake:true}
    end tell
end tell

-- activate the screen saver
tell application "ScreenSaverEngine" to activate

-- if the above line doesn't work, try uncommenting this instead:
-- do script "/System/library/Frameworks/Screensaver.framework/Resources/"

And, in range:

-- set status to available
tell application "iChat"
    set status to available
end tell

-- disable screen saver password
tell application "System Events"
    tell security preferences
        set properties to {require password to wake:false}
    end tell
end tell

-- turn off the screen saver
tell application "ScreenSaverEngine" to quit

Let me know if you come up with any other applications for this or have suggestions for other functionality I should add to my fancy phone-triggered security system.


Verifying domain name ownership

I got a nice shout-out on TechCrunch today for discovering an issue with the new Kindle Publisher program.  The vulnerability allowed anyone to claim a blog as their own and take advantage of the 30% rev-share that Amazon offers on their $1.99 subscription fee.  Erick Schonfeld did a nice job covering the issue and explaining the implications of the hack.  You can read about it on the TechCrunch article.

The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name.  I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong — especially when there is a large audience and money to be gained.

For those who are interested in the best way to do domain name ownership (ahem, Amazon) Google would be a great role model for you to follow.  There is a nice explanation on how Google’s domain verification process works on their help pages:

To verify that you own a site, you can either add a meta tag to your home page (proving that you have access to the source files), or upload an HTML file with the name you specify to your server (proving that you have access to the server).

Each verification method has its advantages. Verifying using a meta tag is ideal if you aren’t able to upload a file to your server. If you have direct access to your server, you may find it easier and faster to upload an HTML file.

Amazon would do well to follow Google’s lead.