Amazon and MSN flaws could aid phishers

Microsoft and Amazon have been ignoring website flaws that could aid hackers, according to a security researcher.

The flaws, which let attackers steal "cookie" data to use in phishing frauds, have been reported to Microsoft and Amazon but with little or no response, according to Yash Kadakia, the independent security researcher who discovered them.

The cross-site scripting flaws he discovered are generally considered to be low-risk problems, but Kadakia's attack involves a technique called CRLF (carriage return line feed) injection, which can be used in a more serious and widespread attack, he said. This would allow attackers to steal 'cookie' data that and access Amazon.com and MSN accounts, or to display a fake login page that could be used in phishing attacks.

Kadakia said he first notified Microsoft of the problem about a year ago. But he said he was not taken seriously until late last week, when he posted screenshots of the flaw being exploited on his website.

The Amazon flaw was discovered in December, but after some initial discussions with the web retailer, the vulnerability remained unpatched, Kadakia said. "The conversations got dropped off somewhere," he said.

A spokesman for Microsoft's public relations agency said the flaws were now being investigated. Amazon executives were unable to comment on this story.

Though Microsoft has talked up its focus on security, the company appears to be slower at dealing with security issues relating to its web properties than software product concerns, said Stefano Zanero, co-founder and chief technology officer at security consultancy Secure Network.

Web flaws similar to the type discovered by Kadakia have been around for a long time, but hackers have tended to focus their efforts on OSs (operating systems). However, with OS flaws now becoming harder to find, the bug hunters are looking for new areas, including web applications.

According to Zanero, there are a lot more web vulnerabilities to be discovered. "We do web application penetration testing as one of our core business services, and we've found huge holes in every single web application we've tested to date," he said. "This thing is just waiting to explode."

Earlier this month, a worm began making the rounds at Yahoo's web-based email server. Called JS.Yamanner@m, the worm did not cause widespread damage, but it drew attention to the vulnerability of some web applications.

The slow response by Microsoft and Amazon.com shows that web-based vulnerabilities are not a top concern to many websites, Zanero said. "It's the sluggish handling of these things that's surprising," he said. "These vulnerabilities were on two of the world's best-developed websites, somebody found them out, and nobody cared for a year or so."

Meanwhile, Amazon and Microsoft are now trying to fix the bugs, Kadakia said.

Not all security experts agreed that the bugs Kadakia has discovered are critical. "These are actually fairly common types of exploits," a Symantec spokesman said in an email note. "Nothing to write home about."

Nevertheless, Symantec appears to be taking the problem more seriously than Microsoft, Kadakia said.

The security researcher recently notified Symantec about a similar flaw on its own site. "It was fixed in a week," he said.