Last week I was checking out Amazon‘s Mechanical Turk web site. For those of you not familiar with the site, it allows people to set up simple tasks called Human Intelligence Tasks (HITs) for others to do that are easy for people to do but too difficult to automate by computer. The people who perform the tasks are then paid a modest amount for their effort.
I came across one HIT that I thought would interest some friends so I right-clicked the link to a preview of the HIT, chose Copy URL, then shared the link with the friends. After checking the site out, my friends astutely noticed that visiting the site logged them in as me. Looking closer at the URL, I realized it contained the actual session state. Rut roh! But that’s not all. There was a link to a “Your Account” page, which then linked to an option to change the name, e-mail address, and password on my Amazon account… without prompting for the current password. Double rut roh! Even after I changed the password, that URL could be used to log in and change it again.
Realizing the security exposure, I immediate deleted the credit card info that was on file. I then sent a few messages to the Mechanical Turk team through a few different channels describing the situation. Though I only got “Thank you for your feedback. We’ll be looking into the situation.” type messages from their team with no way to respond back, it appears they did act on the messages. Upon revisiting the site later that day I noticed that:
- I could no longer find a HIT preview link with the state information included in the URL.
- The offending URL brought up a page saying the request could not be completed successfully. However, this could just be because the session had expired. The top of the page still shows my name and there’s still a Your Account link. But…
- When clicking on the link to change the password, the site now prompts for the existing password first.
Kudos to the Amazon Mechanical Turk team for addressing the issue so quickly after I reported it. I have to say, it was kinda fun, though a bit unsettling, to find a security issue with such a high-profile site.