Amazon Cookie Re-Use

Background

I'm teaching a class titled Securing Web Applications, based on the Web Application Hacker's Handbook. Last night, I demonstrated how to use Burp to identify Amazon's session cookie.

As shown below, the "x-main" value is sufficient to identify my account, which is named "samccsf".

Hacked for Five Months

Today, @realRaku_cat sent me the Tweet shown below, linking to this account of an Amazon customer, whose account has been under hostile control for five months. Password changes have no effect, and Amazon's tech support seems helpless.

This sounds like the same cookie re-use vulnerability, I published in 2013 and presented at BSidesLV and DEF CON, as shown below.

Re-Testing Amazon

I copied the Amazon cookie value shown in the Burp image above, which was:
012ZNALPc0PXcGLZjEn6?jVFPO17A0Y8R6woXg?wGP0nyBYBZsMMJ98BiZ3UPqOr
Then I changed my Amazon password, as shown below.

Reloading an Amazon page after the password change shows that the cookie value remains unchanged, which is very unwise.

If a user is changing a password, they are clearly making an effort to eject intruders, so Amazon should invalidate old cookies.

Sure enough, replaying an old request with the old cookie value still gets into my account, as shown below.

Conclusion

This remains a serious security problem. Each time a user logs out, old cookies should be invalidated at the server. But Amazon doesn't ever invalidate them, not even after a password change.

This exposes customers to persistent account compromise as reported by that Reddit user. An attacker with a stolen cookie can just continue to use the compromised account and password changes have no effect.

As I found out in 2013, almost no one cares about this problem, including Amazon. And, obviously, they still don't care. But it's only a matter of time. Eventually this insecure practice will go out of fashion, like plaintext logins, plaintext cookie transmission, and so many unwise Web app practices.

Invitation to Hack Me

As astute readers have probably noticed, all of you can now enter my Amazon account at will and wreak havoc. Feel free to do so. It's a test account with no credit cards, and if you manage to do interesting things I'll add them to the bottom of this page.

Everyone is welcome to hack me anyway, as long as they adhere to the restrictions in my disclosure policy. Have at it!

Posted by Sam Bowne, 3-1-18