Bug in AMD store let bots bypass anti bot filters

[Lakados]

You had one job AMD....
https://www.pcmag.com/news/bug-in-a...uXPNkuPhO_5Dh1M9l8olUkqgmEaTZT_AFnYeYFi-PGkQI

“he was able to bypass the whole process, including the store's anti-bot measures, thanks to the bug. “My vector created a permanent link that would allow you to attempt to add any product to cart,” he explained. “The link could be hammered 24/7 without any restriction. The return would be a JSON packet that either showed failure or success.”

 

[clockdogg]

Ugh. You can never do enough testing.

Unless it's patience. Those have a [H]ard limit.

 

[HockeyJon]

Was that the same bug that enabled the 3060 to mine crypto at full efficiency after it supposedly wasn’t able to?

 

[thecold]

Was that the same bug that enabled the 3060 to mine crypto at full efficiency after it supposedly wasn’t able to?

Yes we call it user error.

 

[LightningCrash]

I wonder when this was fixed... when I got my GPU you couldn't hammer the ATC link, it would return a 403 and their CDN/DDoS protection would ban you for a little bit.

 

[maro]

'It's not a bug it's a feature' comes to mind...

 

[FrgMstr]

Is this the same guy here that was talking about this a month or so ago here on HF? I forwarded over all his information to AMD and I am fairly sure they got in touch with him.

 

[DPI]

Is this the same guy here that was talking about this a month or so ago here on HF? I forwarded over all his information to AMD and I am fairly sure they got in touch with him.

Don't think so. Somewhat old news, but the uproar a month ago after an [H] forum user saw a screenshot posted here and took it to Reddit (and his thread got attention - possibly AMD's too), together with Kyle's direct communication I imagine every bit helped.

But this new Reddit post yesterday 4/21 that's the basis of the PCMag article in the OP, the guy's post reads more like fanfiction of what exploiting a checkout system might involve, based on somewhat common knowledge in various Discords that deal in stock alerts and botting. It's possible the guy found his own exploit in parallel to the bot developers; but then correlation wouldn't be causation. He also mentions much further down in the comments that he only "reported" anything to AMD after he'd already bought a bunch of stuff for himself and had his fill.

Who knows, but good for him if he did provide anything helpful to AMD; it got fixed one way or another and exploits haven't worked since April 1.

 

[DPI]

Also amusing is Digital River reaching out to PCMag after the article, providing a lawyer-language PR torniquet by stating an irrelevant: "We don't host AMD's online store"

DR not "hosting AMD's online store" (website is what they mean) is irrelevant because bot developers were able to reverse-engineer >>Digital River's API<< to both expose inventory counts and perform checkouts programmatically, independent of AMD's website. The entire automated purchase operation did not require AMD's website/front-end. In fact bot developers broke down DR's API so thoroughly they were actually reciting movie quotes left by the API's developers in commented sections.

If you've read this far, congratulations you've hit your internet-minutiae quota for the day and I do apologize.

 

[gigaxtreme1]

Cullpability starts at the source.
Edit- whatever that means.

 

[Krenum]

Naturally, its a "Bug".

 

[Stryker7314]

How Convenient...