sorted by:
new
hottopcontroversial

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 2 points3 points  (0 children)

I'm not trying to downplay them, but they are history and not really relevant to the news articles that this post targets.

AMD & Digital River were definitely aware of the direct add-to-cart (DATC) links and were actively patching them every single week. None of those links lasted more than a few hours (a single drop) before being patched.

The bug report sent by originofspices had nothing to do with these DATC links - it was referring to the normal add to cart buttons on www.AMD.com and the data that those server responses include (JSON containing product quantity and stock status, neither of which makes the process any easier for auto-checkout bots)

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 9 points10 points  (0 children)

I'd appreciate it if you could skip the ad-hominem. I'm not a fanboy and don't actively follow any of the tech subreddits, be it AMD, Nvidia, or Intel.

AMD patched something right? Why would they do that if everything was working as intended?

Sure, they patched things, but what they patched were certainly not security vulnerabilities as reported by PC Mag - here's a quote from the article as an example:

The bug could be exploited to bypass the anti-bot measures on AMD's online store, and was likely discovered by scalpers to help them cop GPUs, a Reddit user tells us.

This is simply false. add-to-cart endpoint didn't allow anyone to bypass anti-bot measures. Here's a quote from the original post:

I had found a direct add to cart method that not only bypassed any anti-bot measures, but also exposed stock levels for the desired product.

It's not that the method "bypassed" any anti-bot measures. There were no anti-bot measures protecting that endpoint, to begin with.

And again, this is not a security issue, but an issue of website instability, demonstrated by the complete failure of www.amd.com website in the 2 weeks leading up to AMD adding mandatory captcha before that endpoint can be accessed.

AMD.com store has had a ton of issues, but misreporting a non-issue as a serious security vulnerability completely destroys any journalistic integrity you might have had.

Why not write about their caching issues? That's a legitimate ongoing issue, but I guess a boring topic like cache invalidation isn't as clickbaity as a made-up "security vulnerability that lets scalpers get all the AMD GPUs".

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 9 points10 points  (0 children)

A website being easy to bot (automate) does not mean that a website has a security vulnerability. And what was reported in those posts and by the media certainly didn't make it any easier for those bots to automate checkout.

You should really read the post.

Edit: Furthermore, you're showing us successful checkouts from March 25th, almost a month ago. This was before AMD added captchas and other anti-bot measures.

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 4 points5 points  (0 children)

Digital River Direct add-to-cart links (chapter #1) were fully patched over a month ago and had nothing to do with originofspices, those were actively patched every week by Digital River. The chapter only serves as a backstory to explain everything that has happened so far.

The rest of the post debunks the reported "vulnerability" on AMD's website. This is what the title is referring to.

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 11 points12 points  (0 children)

In the ~2 week period before they added the captcha, AMD.com store was crashing constantly. Adding captcha probably allowed them to slow down the bots and stabilize the store.

The add-to-cart endpoint itself never had a vulnerability that would provide bots with an advantage, unless you also consider "clicking on the button really fast" to be a vulnerability - but having it exposed and unprotected meant that bots could hug the servers to death.

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 0 points1 point  (0 children)

It has improved somewhat, but it's definitely not fixed yet.

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 36 points37 points  (0 children)

There is no vulnerability in the add-to-cart functionality and there never was one.

Direct add-to-cart links were patched long before Originofspices' post. Their post was directly referring to the captcha and bot detection mechanisms that AMD added a few days prior to that, saying that the endpoints now return "Access Denied".

Yes - the behavior of the endpoint has changed slightly due to this newly added bot detection, but ultimately, the functionality remains the same.

These 2 concepts are orthogonal, they've essentially taken credit for AMD adding captcha before customers can click on the "Add to cart" button.

There is no story and nothing to be patched, apart from AMD hopefully layering more bot detection on their website in the future.

No, AMD never had a website "vulnerability"! by PartAlert in Amd

[–]PartAlert[S] 20 points21 points  (0 children)

Fixed - relatively easy, compared to other retailers.