Amazon patches nasty cross-site scripting (XSS) security vulnerability
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
March 26, 2015
Amazon said this morning that it has patched some critical cross-site scripting (XSS) security vulnerabilities on its platform that exposed customer accounts to hijacking and other security issues.
In an initiative, a Brazilian hacker using the handle @BruteLogic published the then-zero-day flaw to XSSposed.org Saturday but without tipping off Amazon first handedly as he probably should have.
Amazon then talked about the flaws a little over two days later. The time between the security flaw's disclosure and the patch applied was a chance for Amazon accounts to be compromised and web browsers exploited, and unfortunately, that's just what happened.
The hacker's reasoning for full disclosure was that Amazon didn't pay cash for bug bounty reports.
He says the security vulnerability allowed attacks to view Amazon user credit cards and then to purchase items in their names, provided a victim clicked on a crafted malicious link.
Amazon has been contacted for comment. This isn't the first time we report about such a similar event-- it happended a few times in the past and will most likely again happen in the near future.
Overall, cross-site scripting security vulnerabilities are a persistent and frequent issue on internet assets.
It allows hackers to quietly target victims using vulnerable web applications that do not properly check various inputs.
To be sure, the Open Web Application Security Project places XSS as the third worst application security problems behind broken authentication and SQL injection attempts.
"An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way of knowing that the script shouldn't be trusted, and will simply execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page," he added.
That critical security flaw follows Amazon's September blunder after it reintroduced a hole in its Kindle management page that could have allowed attackers to inject malware into a book's title which could have commandeered user accounts in a very nasty way.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!