How to AI prompt Engineering with missed CAPTCHA , and How CloudFront Fails to Filter Requests?
Hello everyone,
I want to share how easy it is to exploit vulnerabilities on a website and how Ericsson ignored my report. Here’s what happened.
Applying for a Position at Ericsson
When I applied for a job at Ericsson, I discovered their “Join Talent Network” This page allows anyone to enter their First Name, Last Name, Email, and upload a resume for future opportunities. It seems like a convenient solution, but there are significant issues:
- No GDPR Compliance: There are no GDPR notes, so we don’t know what they can do with the data.
- Email Spam: Anyone can add an email to the list without the user’s permission, and the same email can be entered repeatedly. This can flood the user’s inbox, which is annoying.
- Potential for DDoS Billing Attack: This vulnerability can be exploited to cause a Denial-of-Service (DDoS) attack on Ericsson’s financial resources.
The Role of CloudFront and Amazon
You might wonder how CloudFront and Amazon are involved in this. Here’s the explanation:
By using tools like a browser’s debug console or Burp Suite, we can observe requests and responses from the server. Here’s what I found:
- Transport-Security: max-age=31536000; includeSubDomains
- Vary: Cookie
- Via: 1.1 25b9a991f871f75614e7f92f97b136a4.cloudfront.net (CloudFront)
- X-Amz-Cf-Id: dX0a5S59w1rro45VsIT8NMQQV9DMUtLIk4GSqewN0requqN2W7AMJQ=
- X-Frame-Options: SAMEORIGIN
Looking at the email headers, emails are sent from Amazon SES, a paid service:
- DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
- Received: from a27–248.smtp-out.us-west-2.amazonses.com (54.240.27.248)
An attacker can exploit this by sending a large number of emails to the victim, increasing Ericsson’s bill for unnecessary emails (a Billing DDoS attack). This vulnerability has a 97% likelihood of being exploited for a Billing DDoS attack.
Preventive Measures
To prevent this, every user should verify their email via temporary passwords, links, or CAPTCHA. This would stop automatic filling of fields and sending empty files to the database, likely stored in Amazon, increasing storage bills.
Potential Abuse and Reputation Damage
This vulnerability can also be considered abuse. Victims can complain about Ericsson, potentially blacklisting their domain and harming their reputation.
Reporting to Ericsson
I reported this to Ericsson at vulnerability.disclosure@ericsson.com, but they did not appreciate it. That’s why I’m writing this article.
Questions for the Community
Why doesn’t CloudFront protect against such attacks? CDN services are designed to prevent such attacks. Is it due to the static nature of the email address? When will it block my IP address? Does it block the IP address or just the email? I am waiting for permission to test this further on a test email.
It’s possible to send very long requests (e.g., a script generating 100,000 random characters in the First Name and Last Name fields). CAPTCHA doesn’t work, making it easy to carry out such attacks using the TOR network.
Conclusion
It seems Ericsson misunderstood my problem description and evaluated it poorly. They have not contacted me, believing their website works flawlessly, which it doesn’t. It’s a pity for the wasted time. The script can be downloaded along with requirements.txt and a video showing the script running three browsers in parallel and flooding the victim. Note: You need Chrome Web Driver to use the script. By the way, the script was developed by ChatGPT, confirming it’s easy to develop similar cases. AI is advancing, but security is not. And there should be a new article on how I did it using ChatGPT.
Final Thoughts
I hope this article demonstrates the importance of thoroughly checking everything to protect your business, reputation, and finances, and to reduce spam. Thank you for reading.
End of Part I
