`The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image below").
And I accidentally noticed this feature can be easily bypassed:
MY SYSTEM
Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting
Chromium 46 - not the latest
"US-WEST-2" EC2 Instance as proxy - always the same IP
MY STEPS
1. Use Chromium to visit https://console.aws.amazon.com/
2. Put correct email and correct password there, and sign in
3. CAPTCHA is required
4. Clear cookie cache etc in Chromium
5. Use Chromium under "Lock Browser"(lockbrowser.com) with "txt/https-whitelist.txt" configured as the following:
----------
amazon.com
d3rrzw75sdtfe5.cloudfront.net
d3a94n0r6dqtjm.cloudfront.net
d2q66yyjeovezo.cloudfront.net
d3rn69q7afuxu6.cloudfront.net
d257l1zb7u5fh9.cloudfront.net
----------
6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because CSS etc fails to load.
7. Put correct email and correct password there, and sign in
8. CAPTCHA is NOT required
ABOUT
I noticed this weird thing because I'm super lazy - don't add domains to whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I contacted Amazon, and they said it's not a bug.
REQUEST FOR COMMENT
1. Can you reproduce this?
2. Is this thing a bug or not?
Kind Regards,
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation