back to article I helped find an XSS hole and all I got was this lousy t-shirt

Amazon has patched dangerous cross-site scripting (XSS) vulnerability in its website that exposed accounts to hijacking. A Brazilian hacker using the handle @BruteLogic published the then-zero-day flaw to Saturday without tipping off the book giant. Amazon swatted the flaws two days later. The time between …

  1. Bill the Sys Admin

    They will be wishing they gave more than a t shirt next time when somebody decides not to tell them because its not even worth their time.

    1. Unicornpiss


      "They will be wishing they gave more than a t shirt next time when somebody decides not to tell them because its not even worth their time."

      My understanding from the article is that Amazon was not told of this flaw, but instead it was posted elsewhere on the web and subsequently brought to their attention. I suppose the next person that discovers a vulnerability could just exploit it and not tell anyone, but that happens everyday anyway...

      1. big_D Silver badge

        Re: @Bill

        @Unicornpiss exactly, the question is, did he approach Amazon and they told him to get lost / they don't have a bounty programme or did he not find any mention of it and just published it openly?

        Either way, publishing it openly is the wrong thing to do. EoS.

        1. VinceH

          Re: @Bill

          "Either way, publishing it openly is the wrong thing to do. EoS."


          I accidentally discovered a flaw on Amazon's site (the UK site, but it's possible the same thing applied to other sites) some years back that could result in duplicated/forked accounts with different access details. I couldn't cause it to happen again, so it might have already been fixed (just as it might be that I couldn't work out what caused it in the first place).

          Therefore, since I wasn't aware if they had become aware of the problem and definitely fixed it - and because there may have been other people out there with similarly forked accounts (who, IMO, they should have notified if that was the case) I decided to contact them.

          Amazon - or the Amazon twit I communicated with - really, really weren't in the slightest bit interested, and even shifted the blame onto me.

    2. asdf


      As big an a s s hat as many companies are he is probably lucky they didn't sue him for some DMCA violation (yes US only law but when has that stopped them) for even mentioning anything about this flaw.

  2. PCS

    "His reasoning for full disclosure was that Amazon did not pay cash for bug bounty reports."

    So he did it for the money then and nothing else?

    Is altruism dead and forgotten?

    1. Anonymous Coward
      Anonymous Coward

      In a word: YES

      I have lost count of the number of companies - JustEat springs to mind - where I have been forced to use their sucky interface (believe me, sucky is being kind in this case - especially seeing as it replaced the infinitely superior Meal2Go) commented on such, and received an invitation to "discuss it with our development team".

      Or in other words do my job (and theirs) for free. No thanks you tight gits - you should have spent the money in the first place.

      Quick show of hands. How many El Reggers have been invited to work for free after pointing out faults and flaws in company websites ?

      1. joeW

        Re: In a word: YES

        "Quick show of hands. How many El Reggers have been invited to work for free after pointing out faults and flaws in company websites?"

        I'll go you one better. After declining their offer to discuss a security issue I discovered with a site's dev guys, they threatened legal action. Basically "help us fix it for free or we'll have the cops nab you for hacking".

        I politely declined that little offer too.

      2. This post has been deleted by its author

        1. Brandon 2

          Re: In a word: YES

          It's not just in the IT industry that people are put upon to work for free... Just ask a machinist, a photographer, a singer, accountant, etc etc. It's up to you as an employee to know what you're worth and have healthy boundaries and negotiating skills. Quid pro quo.

          1. Dr. Mouse

            Re: In a word: YES

            It's not just in the IT industry that people are put upon to work for free

            However, I do think it is more "expected" than any other, especially within (and just beyond) a circle of friends.

            I have lost count of the number of weekends I have wasted fixing a "little problem" with a friend's computer. I have also lost count of the number of shocked faces I have seen when I suggested I should be paid for the work. "But all you need to do is push a few buttons" seems to be the thought process.

            Things are different when you look at someone like a band (a mate's band charged me, albeit at mates rates, for singing at my engagement do, and I was happy to pay) or a plumber (they will generally diagnose the issue for free but charge, at mates rates again, for doing the actual work, which I am happy to pay). These are expected. They are doing "real work", not just playing with a computer.

      3. Synonymous Howard

        Re: In a word: YES

        Take a look down the list here...

    2. paulf

      I can't help thinking Amazon has plenty of resources to find these bugs themselves if they really wanted, or even debug their code sufficiently so they're not there in the first place.

      The Altruism argument falls down because Amazon are a pretty massive company and stood to lose more from exploitation than they would have done by paying a bug bounty. If this bug is present then it's likely not the only one which shows their own debug procedures are inadequate.

      Bug bounties seems to be a pretty established MO now. Bug finder gets a tidy reward for their work to prove the bug existence (and also to avoid them exploiting it) while $MEGACORP gets detailed information to fix bug before someone does exploit it with all sorts of reputational damage.

      If you're really keen to debug Amazon's codebase for free in your spare time do feel free!

      1. Robert Helpmann??

        A Simple How-To

        I can't help thinking Amazon has plenty of resources to find these bugs themselves if they really wanted, or even debug their code sufficiently so they're not there in the first place.

        You are implying that they ought to have a team that actually tests for security holes as part of the development team. Adding security to development? What is wrong with you?! Next, you will say they ought to do user acceptance testing.

    3. DNTP


      I don't consider "doing free technical work to save someone else's CORPORATION from FINANCIAL consequences" as altruism, you know.

      Technological altruism is helping your neighbor with their dodgy connection or reporting a flaw in a medical device that could harm a PERSON. If a company wants help with their bottom line they better damn pay what it's worth.

    4. Triggerfish

      Altruism dead? It must be after all Amazon keep charging me for stuff I want.

  3. Peter 26

    Smaller Companies - Bugs

    I come across security bugs like this all the time on smaller sites, some massive like javascript sanitation of input and nothing else! But usually I just move on as there is no benefit to me in telling them. In fact all I will get at best is hassle dealing with people who don't care, at worst a possible criminal complaint for probing their system.

    Want to make some money?

    Setup a site where people can log these issues against specific sites to act as a middle man. The site will then email the company on your behalf and offer the info at a price. The middle man obviously will take a cut.

    List on your site the web sites exploits have been found for and what type it is, but obviously no details, that should get them paying!

    1. Anonymous Coward
      Anonymous Coward

      Re: Smaller Companies - Bugs

      Blackmail and extortion are illegal you know.

      1. Peter 26

        Re: Smaller Companies - Bugs

        I'm no lawyer, but I'm pretty sure for Blackmail or extortion it's a case of pay up or I'll do such and such to harm you. In this case it's pay up or I will do nothing except keep the information to myself.

        1. This post has been deleted by its author

          1. Peter 26

            Re: Smaller Companies - Bugs

            This is why I think a middle man is best. They can get lawyers involved and sort out all the technicalities that individuals can't do. e.g. Making sure it is made absolutely clear that this is not blackmail for starters.

    2. Anonymous Coward
      Anonymous Coward

      Re: Smaller Companies - Bugs much this.

      I worked for a financial institution who had contracted for a local alarm company to install a system at a new branch. The system used an RF transmitter operating in the licensed 'business-band' frequencies, around 450mhz. I insisted (per policy) that the company configure a secondary connection via IP or POTS. They went on and on about how secure and reliable their RF connection was and refused to install a secondary communcation link. I said I can google their frequency(and showed them the FCC ULS site) then buy a jammer off ebay that will jam their frequency and prevent any communication. This was enough to get the installer to put in a secondary connection.

      I received a call from the owner of the company the next day. He first confirmed that what I said was true, then threatened to call law enforcement and report me 'if his system so much as hiccups'. Then he hung up on me.

      We demanded he remove all of his equipment and terminated all relationships with the company.

      1. This post has been deleted by its author

    3. Robin Bradshaw

      Re: Smaller Companies - Bugs

      Peter 26 you mean like this, where the amazon xss was reported? :)

      1. Peter 26

        Re: Smaller Companies - Bugs

        No, you get money for it. It's not public disclosure.

  4. JimmyPage Silver badge

    Or alternatively

    Big companies lobby the government(s) to tighten up the law so that it becomes a criminal offence not to disclose bugs you find in websites to the owners. That way they don't have to spend any money on decent development and can use the threat of prison to enforce compliance.

    A little bit like it being a criminal offence (in the UK) not to notify police if Uncle Ahmed has popped off to Syria.

    Bear in mind there's *already* a delicate line to tread between asking for payment to divulge details of a bug and blackmail.

  5. Joe Harrison


    I explained to Tesco once that under some circumstances their website would fail to use SSL when serving the "type in your credit card number" checkout page. They sent me a five-quid voucher

    1. JimmyPage Silver badge

      Re: Fiver

      Pretty galling when you know they would happily have paid at least ten thousand times that much for the same information from a whizzy startup outfit ....

    2. This post has been deleted by its author

    3. Tcat

      Re: Fiver

      Nice. I discovered an Atlanta Motel was showing the padlock in (improperly) IE on a SSL fail in payment transfer. I called to warn them and was threatened for 'hacking' (and I was booking my room while in Mexico). I replied with a fax cancellation and informed them I would be contacting the GA State Attorneys Office faster than they could call Atlanta PD.

  6. Anonymous Coward
    Anonymous Coward

    "the house always wins"

    and if doesn't win because you have outsmarted them, they will come after you with a vengeance - just like in casinos.

  7. JDX Gold badge

    Protection Racket

    "That's a nice website you have there. It would be terrible if someone publicly disclosed a security vulnerability".

  8. Anonymous Coward
    Anonymous Coward

    Call the waaaahmbulance

    Suck it up princess

  9. Henry Wertz 1 Gold badge

    Altruism isn't dead but doesn't apply here.

    "Is altruism dead and forgotten?"

    No, but when dealing with a multi-billion dollar company, I don't see the need for being altruistic. They can a) pay at least a token $100 or whatever. And b) have a security contact, I would not go through layers of tech support to report a security flaw (not saying they don't already do this, maybe they do.)

    Also, here's a nasty flaw. I'm reporting it here, because Google's support interface is damn near useless, and when I reported it on their support forum the response was a) someone snarkily putting "my friend" in quotation marks, implying that it was my computer problems and not his. b) Saying I got scammed (again ignoring it was my friend -- and nobody got scammed.)

    So he wanted to transfer paid Android games from his old Google account to his new one. (Why he didn't just put the old account in his new Android device I don't know.) He got all flustered and finally decided to call Google (which I didn't think would help but didn't think it could hurt either). I Google'd the phone number, 1 (650) 253-0000. I Googled *that* number to make sure it was actually Google's (and not some scam paid listing or something), and it is. My friend dialed it -- and instead of going to Google, it went to a scammy Indian call center! They dicked around for like 20 minutes pretending to transfer account info, then wanted to bill him $120. He handed the phone to me and I was like "Is this someone at Google? If so, you already have his credit card info..." "Oh, no you've got to go to this site and..." "No, if you're google as you claim you already have his info." I hadn't the phone back to him and he hung up. Don't try to scam someone out of their card info by impersonating someone that already has that info 8-). NOBODY in the Google forum addressed "How did Google's main phone number get redirected to someone else?" instead making snarky remarks. They have NO forum for security issues, and no E-Mail contacts whatsoever to contact someone like a professional. Given this experience I would NEVER report a flaw to Google, I would report flaws publicly (especially given the only option to reach Google is ALREADY a public forum!)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like