Amazon hit by persistent XSS vulnerability

Written by DP

Monday, 4 October 2010

*UPDATE 5/10/2010* - It appears that Amazon corrected the XSS bug yesterday in the evening.

A security researcher who goes by the nickname "SeeMe" has reported a critical persistent cross-site scripting vulnerability affecting the America's largest online retailer persistent XSS bug mirror #1,#2 

To reproduce the vulnerability, a Pro Merchant ($39.99) subscription is needed, otherwise you will not be able to list your own product to the Amazon catalog. The XSS flaw occurs due to the product title parameter not properly sanitizing input, thus allowing for persistent XSS attack vectors to be added:
Within a few minutes after the addition of a new product, the product's page shows up in Google SERPs:
...and of course instantly in Amazon's search results:
Examples of potential phishing Amazon URLs triggering the XSS:
"B003H7775E" is the generated ASIN (Amazon Standard Identification Number) of SeeMe's product but you can define your own when you list a product.
Fraudsters can create a new Pro Merchant  account with stolen credit/debit card details and verify their identity by a public telephone or unregistered (in some jurestictions) pay-as-you-go mobile phone number. Unsuspecting Amazon users are susceptible to malicious XSS attacks that target personal and financial information. If the fraudsters use a popular keyword in the XSS attack vector, an even larger number of Amazon users could be infected.
Amazon's security team usually reacts quickly to such security issues.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.