Persistent XSS Bug Found on Amazon

A persistent cross-site scripting (XSS) weakness discovered on Amazon, allowed potentially rogue merchants to generate product listings capable of hijacking session cookies.

The vulnerability was discovered and reported to the XSSed Project on September 30 by a security researcher calling himself SeeMe.

The problem is located in the "Title" field of the form used to publish new products in Amazon's catalog. Therefore, exploiting it requires a $39.99 Pro Merchant subscription.

Insufficient validation of data passed through the vulnerable field allows potential attackers to inject malicious code in the resulting product page.

The researcher created a proof-of-concept listing, which prompted an alert box with the visitor's session cookie, but he could just as easily have it sent to a remote website under his control.

The rogue product page was discoverable through Google, but it could have also been used to craft a credible email-based phishing attack.

"Fraudsters can create a new Pro Merchant account with stolen credit/debit card details and verify their identity by a public telephone or unregistered (in some jurestictions) pay-as-you-go mobile phone number," explained Dimitris Pagkalos, co-founder of the XSSed Project.

"Unsuspecting Amazon users are susceptible to malicious XSS attacks that target personal and financial information.

"If the fraudsters use a popular keyword in the XSS attack vector, an even larger number of Amazon users could be infected," he warned.

There is currently no confirmation that the vulnerability was fixed, but according to Pagkalos, Amazon's security team reacts quickly to such reports.

XSS vulnerabilities are very common, but the majority only allow for so called "reflected" attacks, which imply tricking users into opening malformed URLs.

XSS weaknesses that can be exploited to inject unauthorized code into actual pages, like in this case, are known as "persistent" and can be very dangerous.

Two such vulnerabilities were used to launch XSS worms on both Twitter and Orkut recently, where users of the social networking sites would become infected just by viewing a maliciously crafted message.