X
Settings
Language

Country

Framework language
Choose the country,language and framework settings
Privacy
HTTPS + POST : An encrypted SSL(HTTPS) connection ensuring your privacy. The search variables like keywords, etc. are encrypted and masked.
HTTPS + GET : The data transfer is enrypted but search variables displayed in the URL.
HTTP + GET : Non encrypted datatransfer
SSL key exchange / Cipher
Chromium based browsers might not work with the STRONG+ cipher set! You need to delete your settings cookie if you cannot build up an SSL connection. Try the STRONG cipher set instead.
The FAST cipher set is only recommended for outdated browser which are still using SSL3 or do only support weak ciphers for the key exchange. Do not use this cipher set if you are using software which is up to date!
Session key extension

Bind Session to IP
These two settings will improve the security of your session. By giving an additional session salt and/or binding your session to your current IP address your new session will be secured individually making it almost 100% unbreakable for any random hacking attempt and man in the middle attacks! If you change one of those values your current session will be reinitiated! This means you will be logged out if you are logged in right now. Check your session security settings (user details), if you want to kill remaining sessions. It is not recommended to bind your IP to your session if you are using a VPN/PROXY/ISP Network with altering outbound IPs since you will be logged out everytime your IP changes.
World Wide Web:
primary
secondary
Images:
primary
secondary
Thumbnails
Show external thumbnails and images.
Count of search results per page
Content filter

Violence
Filter adult material


Parental lock: with setting a password you are activating the parental lock. You are able to reset it by typing in the correct password clicking reset and saving the settings. To use the child protection properly you need to create a separate system account for your child with no write access to cookies

Length of descriptions
Activate social platform plugins
With activating this option social plugins embed to this website will get loaded automatically. You will automatically accept all terms of used social plugin hosters by setting activated. Please reconsider our terms and links to related terms and datasecurity for more information
Advertisements
Color style
MENU:
INPUT/SELECT BG:
INPUT/SELECT TEXT-COLOR:
HEADINGS:
LINK TEXT-COLOR:
CONTENT TEXT-COLOR:
Background Image
Save Settings
Close Settings
🗙

Blog

  • Geebee.org
  • Blog
Amazon Firesale Exploit
Translations: de

Amazon Firesale Exploit - Amazon was threatened to be sold out by bot networks without selling any item!!! Anyways, this problem was fixed at very short notice. A bug in the web interface and the management of user sessions made it possible to sabotage competitor sales, to pin one's own offers to Amazon's front page, or even to sell out Amazon's entire sales program. There was no reward for this, but this is also of secondary importance, as my primary intention was to protect thousands of associates, employees, investors and their families from a rude awakening. 

Following was confirmed by Amazon's Security with the case number RM135******.

BUG/EXPLOIT: Vendors pushing up their offers, today's deals and special offers
by adding their goods to fake accounts' baskets.

DESCRIPTION: Several vendors at Amazon are using fake accounts to push up
their offers and special offers adding those products to new accounts' baskets
using different IPs by VPN or proxy connections.
Accessing Amazons Vendor Items with an automated algorithm and adding Items to
baskets works like a charm (I gave a demonstration).

RISKS: This could be done even automated by browser emulations or algorithms
having JavaScript interpreters implemented. With the additional use of proxies
and/or VPN connections, this will look like real user activity.

ATTACK VECTORS: - Target: WEB API of Amazon
- Access: Access by automated algorithms on Port 80/443
- Weakness Used: Instant Account Creation (no validation
required)
- Attack Method:
1) Find a seller or any seller on Amazon
2) Add their product(s) to a shopping cart
3) Do not purchase the product(s), leave it in the cart
4) repeat steps 2 and 3 until the company has almost no
items left
5) This offer will be now listed on top.

Or:
1) Find a seller or work or any seller or any work on
Amazon
2) Add their product(s) to a shopping cart
3) Do not purchase the product(s), leave it in the cart
4) repeat steps 2 and 3 until the company has no inventory
that is not marked as in someone's cart
5) A legitimate buyer now has to go to a
different seller to buy the product

-!!!ATTACK IMPACT!!!:
-This way 1 person could easily make a Vendor sold out/or
push it up to be on top of the list due to Amazon's item ranking method.
-1 Person using a big network / many nodes could easily make
Amazon completely sold out!

ATTACK IMPACT:
This Attack could easily ruin the whole income of Amazon and it's vendors.

LEGAL STATUS:This is unfair management and contradicts to the laws for fair
competition in a context of (e)commerce.
According to German/European law, Amazon can be hold liable for those fraud
account activities. This is the case of negligence for letting fraud activity
reach out to users which did not even register at Amazon but will receive
emails. This is also a violation according to pretending of false facts.

HOW TO REPRODUCE:
Create several accounts using different IPS or not and start adding products
especially special offers. Creating accounts fake accounts is made easy since
you are logged in after registration without any validation process. The
attacker can give any email address, even a not self owned one and will have
access to a fake account for adding items to it's basket. Proxifying or using
various VPN connections per fake client will let this look like real user
activity. After ~15 minutes, the basket will be refreshed if the session is not
refreshed by user activity. Items will be added to the basket again to keep the offer on
top or sold out.

HOW TO FIX:
- Purge not by email and/or mobile phone confirmed accounts.
- First check for validity before letting new users log in.
- add email, mobile phone, address or passport/personal id validations for
registering process.
- reject proxy networks like tor

-> This will not just prevent the loss of income, but also prevent Amazon of
being held responsible in some countries for careless forwarding of fraud
activity to customers or partners/vendors harming their income.

BUGFIX IMPACT ON User experience:
- adding an email validation linking to a instant login with authenticated
email will not impact the users' experience negatively.
- Just decreasing the basket purge time would harm the user's experience.

Posted at 2018-09-18 03:20:39
( updated at 2022-03-02 20:04:11 - b4sh )
in securityb4sh

Tags:
AmazonExploitFiresaleFirebugBug
  • all entries
  • Messages
  • Manuals
  • security
  • Geebee.org
    • Home
    • General Information
    • Contact
    • Blog
    • Campaigns
    • Data Protection & Terms Of Use
  • Donations
Paypal
    • Tools
      • Github
      • Check IP Address
    0
    Guest
    • Geebee.org
      • Home
      • General Information
      • Contact
      • Blog
      • Campaigns
      • Data Protection & Terms Of Use
      • Login
      • Logout
      • User Details
      • Create User Account
      • Settings
    • GAMES
    gear
    Language:
    Sort:
    Filter:
    Geolocation:
    Country:
    Google Domain:
    Simplified Chinese:
    AND search query:
    Search in URL:
    Search in URL - Filter:
    Contained search queries:
    Excluded search queries:
    OR search queries:
    related URL:
    Date:
    File type (Extension):
    Image size:
    Image type:
    Color:
    Dominant color:
    Copyright:



    Filter:
    Alternative Search Query
    Show All Indexes
    HD 3D game language-Filter country-Filter
    minimal length
    Maximal Length
    Free shippingSorting
    Condition
    Min.:

    Max.:
    Sorting:
    Title:Original Title:Description:Year: - Release Date:Genre:Language:Spoken Languages:Country:Duration: - Colour Mode:Dimensions:Soundtrack:Production Companies:Production Countries:
    ----------------------------------------
    Actors:Thanks:Literary:Art:Camera:Casting:Cinematography:Costume:Decoration:Directing:Directing (art):Directing (assistant):Editing:Lighting:Location:Makeup:Music:Other:Producing:Producing (design):Producing (management):Sound Technology And Electrics:Special Effects:Stunts:Logistics:Visual Effects:Literary:
    Suggestions
    Manual
    Plugin Name:generate
    >>
    *: