If you are browsing Amazon and someone is trying to capture your data and connection, then the person can easily see what you are browsing on Amazon or things you are buy.
If you commonly visit Amazon then you might have noticed
that Amazon is not using HTTPS everywhere on their
website. Only a few pages are HTTPS .
Even, the person who is spying can see what has been purchased. This is how it can be done. Suppose you bought an IPod on Amazon one month ago. One day, you thought you need to see the warranty date. You go back to the website and click on My purchases. That page is secure(HTTPS). Then you click on your item. You go back to the page which is not secure(HTTP). The hacker again gained access to what you are looking at. The hacker gained access because of the ref field in the url bar, which tells the hacker from which page the victim is coming.
So, in this way, you compromise your security because of the fault of website. Stephen Merity found this problem and contacted Amazon they replied with no good news so he thought to share it with others. Stephen Merity wrote this in his blog :-
I reported this to Amazon previously via their security email but received a boilerplate response. Considering anyone interested in utilizing this information leak would already be doing so, I feel it�s worth raising awareness about the situation. At the very least, it adds to some of my previous articles on the lack of default HTTPS on Google Analytics and when HTTP referrers appear and disappear.
This could have been easily fixed by removing the ref variable from the URL bar , but Amazon did nothing.
The attacker can also get information, like last purchased, or from whom, etc
STAY CONNECTED!!
No comments:
Post a Comment