Stored XSS Vulnerability in Amazon (or How to hack Amazon with a book)

jerf · on Dec 17, 2010

Just replicated the Stallown3d!1 one, it's still there.

Actually a useful link to have; I've had some difficulty convincing people in the past that this sort of injection is a big deal and that's a convenient, harmless way to prove the point.

pbhjpbhj · on Dec 18, 2010

Doesn't that mean you only need to control http://ha.ckers.org/s.js (or similar) rather than write a book?

schrototo · on Dec 17, 2010

This has to be the funniest XSS hack of all time.

iwwr · on Dec 17, 2010

The Bobby Tables of literature

infinity · on Dec 17, 2010

This is fantastic! Great find. It reminds me a little of the idea of pen and paper attacks, like this http://news.ycombinator.com/item?id=1721494

But writing a book as an attack vector is certainly epic.

kingofspain · on Dec 17, 2010

Couple of $$, Createspace. Bait-y title. Merry xmas!

Mithrandir · on Dec 17, 2010

Couldn't do it w/o logging in, until I copied the url from the author's picture.

http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense...

code_duck · on Dec 18, 2010

Now THAT would be an elaborate hack to pull off. Obviously Amazon never thought of that! Between this and the magic goggles, this week is turning out to be so interesting.

Groxx · on Dec 17, 2010

That is an epic XSS hack. I think they won.

FluidDjango · on Dec 18, 2010

Possibly fixed?

I'm not seeing this vulnerability now via Mac FireFox 3.6.12 or Safari.

infinity · on Dec 19, 2010

It seems so, I'm not seeing this with Internet Explorer. The Book Preview does not work at all in Opera :-(

Mithrandir · on Dec 18, 2010

ha.ckers is down. :(