XSS Vulnerability in Amazon Developer Console

I’ve decided to migrate my personal blog made with Jekyll here on Medium, because I don’t have enough time to maintain it anymore. Medium seems a pretty fast and clean alternative that definitely handles social and SEO aspects of a blog better than me.

Everyone is talking about Amazon’s security today, so I’ve decided to publish an entry from my “old” blog that describes a security vulnerability I found last year in Amazon Developer Console.

Whats’s Amazon Developer Console?

It’s the place where you can manage and publish apps in Amazon’s App Store. They recently added a new service like Google Play Games called GameCircle to add on your app more gaming related features like achievements and shared leaderboards, so I decided to investigate on it.

I simply pressed the button to Add a new configuration and tried to inject JavaScript code in the first input box.

When I hit Continue nothing special happened. The JavaScript string was in the configuration name and I thought Amazon correctly escaped the HTML tags in the final page.

I decided to go back and edit the name again when…

Yes, my code was executed! The problem was in a string below the real name as you can clearly see in latest screenshot. Also the XSS was stored in Amazon servers: it was executed every time the user clicked on the GameCircle configuration.

Timeline

10–04–2015

12:48 - Issue reported at security@amazon.com.

14:54 - Amazon answered me on Twitter.

19:20 - Fix released (pretty fast). Amazon asked me to confirm if the fix was correctly implemented.

Here’s a screenshot of the page after Amazon’s patch.

A video of the attack is also available on YouTube:

Unlucky neither Amazon.com nor Amazon Web Services have a bounty program or an Hall of Fame at the moment.