Home » Blog » Hacking Amazon Images

Hacking Amazon Images

July 18th, 2004

Amazon implements REST-full web services, and I think it’s cool, but on the other hand, they don’t realize how dangerous they can be.

For example, they have an (undocumented!) web service for the book cover images. It’s not a cache, it’s an actual active web service that generates an image and all the fancy things on it.

So, suppose you have the ISBN code of your book (I’ll use Carsten and Matthew’s book as an example, so 0735712352), to get the cover of that book you point to the URL

http://images.amazon.com/images/P/0735712352.01.TZZZZZZZ

now you want a smaller one:

http://images.amazon.com/images/P/0735712352.01.THUMBZZZ

or maybe a bigger one:

http://images.amazon.com/images/P/0735712352.01.MZZZZZZZ

I guess you start to see the pattern:

http://images.amazon.com/images/P/[ISBN].01.[ACTION](.jpg)

Note: the .jpg extension is apparently optional, and it’s probably used to avoid stupid browsers like IE to avoid missing the Mime-Type of the image.

Now, the weak part of this approach is that this action does not only regulate the size of the image (that would be ok) but it can also be used to add stuff on top of the image, for example:

http://images.amazon.com/images/P/0735712352.01._PE_PIdp-schmoo2,TopRight,7,-26_SCMZZZZZZZ_

but, hey, there is more! I can even make it 30% off!

http://images.amazon.com/images/P/0735712352.01._PE30_PIdp-schmoo2,TopLeft,+15,-25_SCMZZZZZZZ_

but I can do better than this:

http://images.amazon.com/images/P/0735712352.01._PE99_PIdp-schmoo2,TopLeft,+15,-25_SCMZZZZZZZ_

99% off! So, normally it ships at 39.99$, so now I wonder, since I found a URL on the Amazon web site that says that that book is 99% off, does it mean that I get it for 40 cents?

I’m sure some lawyers would salivate on a case like this.

Anyway, stay away from functional URLs where the user has control on the meaning of your content: it’s nor a real security whole, but dude, it can damage you pretty hard.

First of all, the content of this page is informative and it not meant to cause harm to amazon.com but only to show how dangerous these type of hidden REST-ful web services can do to you. Second, I did not violate the DMCA because I simply asked for URLs on a web server and this is not an illegal practice. Third, if you are Amazon and you think I damaged you, think again, thank me and tell your developers to fix it.