Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation



Amazon Website Covert Redirect Web Security Bugs Based on Facebook – Attack Simulation

“, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)


Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)




(1) Vulnerability Description:

Amazon online website has a computer security bug problem. Hackers can exploit it by Covert Redirect attacks. This allow them to get users’ sensitive information by attacks such as phishing.


The code programming flaw exists at “redirect.html?” page with “&location” parameter, e.g.

The vulnerability can be attacked without user login. Tests were performed on Safari 6.1.6 in Mac OS X 10.7.5, IE 8 in Windows 7, Chromium version 37.0.2062.120 in Ubuntu 12.04 (281580) (64-bit).



(2) Vulnerability Details:

When a user is redirected from Amazon to another site, Amazon will check parameters “&token”. If the redirected URL’s domain is OK, Amazon will allow the redirection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

One of the vulnerable domain is,




(3) Use one of webpages for the following tests. The webpage address is ““. Suppose that this webpage is malicious.


Vulnerable URL:






(4) Vulnerability Disclosure:

The vulnerability was reported to Amazon in the beginning of February 2014. Amazon has patch part of the vulnerability.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s