Amazon 1Button, a browser add-on that provides users with easy access to the Amazon online marketplace, is leaking private information like a sieve, according to a security researcher.
Krzysztof Kotowicz, a researcher specializing in Web security, said the app reports every URL to visit to Amazon—even encrypted HTTPS sessions—attaches script to any website you visit, and reports your Web activities to Alexa.
The Google Chrome extension is particularly worrisome, Kotowicz said, because it requires the user to approve the app’s ability to access data on all websites, read and modify bookmarks, detect physical location, access browsing activity, manage apps, extensions and themes, and access data that is copied and pasted. There are nearly two million users of this app, he said.
“There are a few interesting things going on (all of them require no user interaction and are based on default settings),” Kotowicz said.
Alexa is an analytics service that tracks the performance of top websites. The information sent by Amazon 1Button to Alexa not only includes URLs, but Google searches too—even those sent over HTTPS—along with the first few results returned. The URL and page information, Kotowicz discovered, is sent in plain text over HTTP to widgets[.]alexa[.]com.
“So man-in-the-middle attackers can access the information that the extension is configured to send to Alexa,” he said. “The real problem though is that attackers can actively exploit described extension features to hijack your information, e.g. get access to your HTTPS URLs and page contents. [The] extension dynamically configures itself by fetching information from Amazon. Namely, upon installation (and then periodically) it requests and processes two config files.”
The files define which HTTPs sites can be inspected and which URL patterns to be searched for and XPath expressions to extract and send to Alexa, Wotowicz said. These were sent in the clear, but last Friday Amazon changed the files and they are now served over HTTPS, he said.
On his site, Wotowicz demonstrates a script that converts the Chrome extension into a transparent HTTPS to HTTP proxy. An attacker would need to route traffic to the proxy and launch the script he wrote. There are limitations, he added, but he was still able to capture traffic, session IDs, email messages, documents and more.