Researcher publishes details of Amazon.com, MSN holes

A security researcher has published details of flaws on Amazon's and Microsoft's Web sites.

Frustrated with what he calls a lack of response from Microsoft and Amazon.com, a security researcher has gone public with details of flaws on the two companies' Web sites.

The flaws could be used by attackers to steal "cookie" data files that would allow them to access Amazon.com and MSN accounts, or to display a fake login page that could be used in phishing attacks, according to Yash Kadakia, the independent security researcher who discovered the flaws.

Although the cross-site scripting flaws he discovered are generally considered to be low-risk problems, Kadakia's attack involves a technique called CRLF (Carriage Return Line Feed) injection, which can be used in a more serious and widespread attack, he said.

Kadakia said he first notified Microsoft of the problem about a year ago. But he said he was not taken seriously until late last week, when he posted screen shots of the flaw being exploited on his Web site (http://blogs.hackerscenter.com/dcrab/).

The Amazon.com flaw was discovered in December, but after some initial discussions with the Web retailer, the vulnerability remained unpatched, Kadakia said. "The conversations got dropped off somewhere," he said.

A spokesman for Microsoft's public relations agency said the flaws were now being investigated. Amazon.com executives were unable to comment for this story.

Though Microsoft has made much of its focus on security, the company appears to be slower at dealing with security issues relating to its Web properties than with its software products, said Stefano Zanero, the co-founder and chief technology officer at security consultancy Secure Network SRL.

Web flaws such as the type discovered by Kadakia have been around for a long time, but hackers have tended to focus their efforts on operating systems. However, with operating system flaws now becoming harder to find, the bug hunters are looking for new areas, including Web applications.

According to Zanero, there are a lot more Web vulnerabilities to be discovered. "We do Web application penetration testing as one of our core business services, and we've found huge holes in every single Web application we've tested to date," he said. "This thing is just waiting to explode."

Earlier this month, a worm began making the rounds at Yahoo Inc.'s Web-based e-mail server. Called JS.Yamanner@m, the worm did not cause widespread damage, but it drew attention to the vulnerability of some Web applications.

The slow response by Microsoft and Amazon.com shows that Web-based vulnerabilities are not a top concern to many Web sites, Zanero said. "It's the sluggish handling of these things that's surprising," he said. "These vulnerabilities were on two of the world's best-developed Web sites, somebody found them out, and nobody cared for a year or so."

Meanwhile, Amazon.com and Microsoft are now trying to fix the bugs, Kadakia said.

Not all security experts agreed that the bugs Kadakia has discovered are critical. "These are actually fairly common types of exploits," a Symantec spokesman said in an e-mail note. "Nothing really to write home about."

Nevertheless, Symantec appears to be taking the problem more seriously than does Microsoft, Kadakia said.

The security researcher recently notified Symantec about a similar flaw on its own Web site. "They fixed it in a week," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?