CGISecurity Logo

Amazon CSRF “hack” in detail?

UPDATE: According to an updated Wired news story this is a sham and no hacker was involved.

RSnake recently posted an entry linking to the write up on how a Cross-Site Request Forgery flaw in amazon was used to get Gay and Lesbian books banned from amazon's site via their reputation system.

From the person

"Now from here it was a matter of getting a lot of people to vote for
the books. The thing about the adult reporting function of Amazon was
that it was vulnerable to something called "Cross-site request
forgery
'. This means if I referred someone to the URL of the successful
complaint, it would register as a complaint if they were logged in. So
now it is a numbers game.

I know some people who run some
extremely high traffic (Alexa top 1000) websites. I show them my idea,
and we all agree that it is pretty funny. They put an invisible iframe
in their websites to refer people to the complaint URLs which caused
huge numbers of visitors to report gay and lesbian items as
inappropriate without their knowledge.

I also hired third
worlders to register accounts for me en masse. If you ever need a
service like that, you can find them in a post like this advertising in
the comments:
http://ha.ckers.org/blog/20070427/solving-captchas-for-cash/"

He's posted some additional details on this site at http://community.livejournal.com/brutal_honesty/3168992.html however it is unknown if this is the actual attacker or cause of this situation. No comment from amazon yet.