Learning From Alexa's Multipart Exploit
To kick off our first edition of “A Learning Opportunity”, we’re starting with a really clever exploit discovered by Check Point Research. The researchers were able to find 3 vulnerabilities that could be exploited in concert to install or uninstall Alexa skills and access user information (including voice history). All that was required on the user’s end was clicking a malicious link.
The first vulnerability the researchers discovered was a misconfiguration in the CORS configuration for several Alexa requests. The CORS policy was broader than it should have been, allowing requests from any Amazon subdomain. One of these requests also returned a CSRF token, which the researchers could then use to perform actions on behalf of the user.
To exploit this, the researchers had to find an XSS vulnerability to make the requests from. Because of the misconfiguration, it could be on any of Amazon’s subdomains.
Looking at track.amazon.com
, it takes two parameters: paginationToken
and pageSize
. If the pageSize
variable contains a non-digit character, the server errors out and returns a 500 response. The response echos back these values of the parameters with content time text/html. That means that a script can be passed through the pageSize
parameter and then will be executed.
With the XSS found, the full attack flow would be:
Victim is tricked into clicking a malicious link
Victim is redirected to the tracking subdomain with the malicious script passed via the
pageSize
parameterThe malicious script hits the Alexa endpoint that returns a CSRF token
Using that token the script performs whatever actions the bad actor wants
Takeaways
Narrow down settings as much as possible. In this case, the CORS permissions being too wide increased the risk of finding a XSS vulnerability from somewhere that can hit the Alexa endpoints
Always keep XSS in mind when handling user input. This was a relatively obscure way the input was being injected, which just proves the point that you need to examine your code critically
That’s it for this edition. If you have any feedback on the formatting of the message or suggestions for vulnerabilities to break down, feel free to contact me on Twitter.
Please share this newsletter with your friends and co-workers!