Bug in AMD store let bots bypass anti bot filters

Lakados

2[H]4U
Joined
Feb 3, 2014
Messages
3,885
You had one job AMD....
https://www.pcmag.com/news/bug-in-a...uXPNkuPhO_5Dh1M9l8olUkqgmEaTZT_AFnYeYFi-PGkQI

“he was able to bypass the whole process, including the store's anti-bot measures, thanks to the bug. “My vector created a permanent link that would allow you to attempt to add any product to cart,” he explained. “The link could be hammered 24/7 without any restriction. The return would be a JSON packet that either showed failure or success.”
 

clockdogg

[H]ard|Gawd
Joined
Dec 12, 2007
Messages
1,127
Ugh. You can never do enough testing.

Unless it's patience. Those have a [H]ard limit.
 
Joined
Dec 29, 2000
Messages
2,454
I wonder when this was fixed... when I got my GPU you couldn't hammer the ATC link, it would return a 403 and their CDN/DDoS protection would ban you for a little bit.
 

DPI

[H]F Junkie
Joined
Apr 20, 2013
Messages
11,500
Is this the same guy here that was talking about this a month or so ago here on HF? I forwarded over all his information to AMD and I am fairly sure they got in touch with him.

Don't think so. Somewhat old news, but the uproar a month ago after an [H] forum user saw a screenshot posted here and took it to Reddit (and his thread got attention - possibly AMD's too), together with Kyle's direct communication I imagine every bit helped.

But this new Reddit post yesterday 4/21 that's the basis of the PCMag article in the OP, the guy's post reads more like fanfiction of what exploiting a checkout system might involve, based on somewhat common knowledge in various Discords that deal in stock alerts and botting. It's possible the guy found his own exploit in parallel to the bot developers; but then correlation wouldn't be causation. He also mentions much further down in the comments that he only "reported" anything to AMD after he'd already bought a bunch of stuff for himself and had his fill.

Who knows, but good for him if he did provide anything helpful to AMD; it got fixed one way or another and exploits haven't worked since April 1.
 
Last edited:

DPI

[H]F Junkie
Joined
Apr 20, 2013
Messages
11,500
Also amusing is Digital River reaching out to PCMag after the article, providing a lawyer-language PR torniquet by stating an irrelevant: "We don't host AMD's online store"

1619166811311.png


DR not "hosting AMD's online store" (website is what they mean) is irrelevant because bot developers were able to reverse-engineer >>Digital River's API<< to both expose inventory counts and perform checkouts programmatically, independent of AMD's website. The entire automated purchase operation did not require AMD's website/front-end. In fact bot developers broke down DR's API so thoroughly they were actually reciting movie quotes left by the API's developers in commented sections.

If you've read this far, congratulations you've hit your internet-minutiae quota for the day and I do apologize.
 
Last edited:
Top