AWS CAPTCHA Bypass

2016-04-27T00:00:00
ID PACKETSTORM:136829
Type packetstorm
Reporter David Leo
Modified 2016-04-27T00:00:00

Description

                                        
                                            `The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image below").  
  
And I accidentally noticed this feature can be easily bypassed:  
  
MY SYSTEM  
Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting  
Chromium 46 - not the latest  
"US-WEST-2" EC2 Instance as proxy - always the same IP  
  
MY STEPS  
  
1. Use Chromium to visit https://console.aws.amazon.com/  
2. Put correct email and correct password there, and sign in  
3. CAPTCHA is required  
  
4. Clear cookie cache etc in Chromium  
5. Use Chromium under "Lock Browser"(lockbrowser.com) with "txt/https-whitelist.txt" configured as the following:  
----------  
amazon.com  
d3rrzw75sdtfe5.cloudfront.net  
d3a94n0r6dqtjm.cloudfront.net  
d2q66yyjeovezo.cloudfront.net  
d3rn69q7afuxu6.cloudfront.net  
d257l1zb7u5fh9.cloudfront.net  
----------  
6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because CSS etc fails to load.  
7. Put correct email and correct password there, and sign in  
8. CAPTCHA is NOT required  
  
ABOUT  
I noticed this weird thing because I'm super lazy - don't add domains to whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I contacted Amazon, and they said it's not a bug.  
  
REQUEST FOR COMMENT  
1. Can you reproduce this?  
2. Is this thing a bug or not?  
  
Kind Regards,  
  
  
  
`