UPDATE 4/23/21: A product stock alerting service says the bug in AMD's online store that enabled the bypass actually isn't a vulnerability.
The developer behind PartsAlert says the bypass discovered by originofspices was simply taking advantage of the normal add-to-cart process, and then looking at the backend web data returned. The data can tell you if the product is in stock and how many quantities are left.
"Let me be clear, this reported 'vulnerability' did not give bots any significant advantage, despite what the previous posts said or what the media reported," developer "recursiveGecko" wrote in a Reddit post. "Bots simply used this information to know when the products were in stock. There's nothing for AMD to patch."
At the most, a bot could automate one part of the checkout flow on AMD's store: the add-to-cart function. But again, recursivegecko says: "This is not a 'vulnerability,' it's just partial automation of the checkout flow that everyone has to go through."
According to recursiveGecko, AMD has since eliminated the issue by blocking all publicly known add-to-cart links on the online store.
In response, originofspices says he still stands by his findings. "It's not so easy to generate a direct add to cart link for a product on Amazon, and even if it is easy for someone more skilled than me, there has to be a way for AMD to block IPs that are hammering the link incessantly. This what I hoped AMD had started doing."
RecursiveGecko also claims AMD's online store long suffered from other bypass vulnerabilities involving "direct add-to-cart links." But the company was quick to patch them before they became widely known.
"Over the past few months, the team at AMD has been one of the most proactive in their fight against bots and they deserve some respect for that," recursiveGecko added.
Original story:
As PC builders everywhere struggle to buy graphics cards, one internet user says he discovered a software bug in AMD’s online store to easily land GPUs.
On Wednesday, Reddit user “originofspices,” who asked that we not use his real name, posted about the bug, which he suspects scalpers knew about long before he found it. “I'm sure other people had discovered this months before I did. It was so easy to find,” he told us in a Reddit chat. “100% actual scalpers had discovered this vector and were buying up lots of parts.”
The bug essentially created a backdoor to AMD’s online store, which has been releasing limited supplies of Radeon graphics cards every Thursday or Friday. During the restocks, normal users have to navigate an often frustrating experience. For example, the site can buckle under the traffic or the GPU product won't be added to a cart.
However, originofspices says he was able to bypass the whole process, including the store's anti-bot measures, thanks to the bug. “My vector created a permanent link that would allow you to attempt to add any product to cart,” he explained. “The link could be hammered 24/7 without any restriction. The return would be a JSON packet that either showed failure or success.”
As a result, the moment AMD restocked an item, it could be quickly added to a cart. The same bug also exposed the inventory levels to the Radeon cards sold on AMD’s online store, as well as which warehouse would ship the product.
Since November, originofspices has been trying to buy a new graphics card amid the ongoing chip shortage. In February, he began exploring the computer code of AMD’s online store in the hopes of learning how to land a Radeon GPU during a product restock.
Originofspices later used the bug to help him buy a Radeon RX 6900XT card. But if you’re a desperate PC consumer hoping to exploit the vulnerability, you’re out of luck. Originofspices reported the vulnerability to AMD, and he says it's now patched.
However, he says he’s no computer hacker, or an expert in vulnerability discovery. Instead, the easily discoverable bug may underscore some poor design choices on AMD’s site, which uses services from e-commerce provider Digital River.
“The AMD web store that is run by Digital River was not well designed and was easily exploitable by unskilled users such as myself,” originofspices said.
In response to the bug, Digital River told PCMag it actually doesn't host AMD's online store. “AMD’s site is utilizing our global seller services for managing payments, taxes, fraud and compliance. We are the seller of record, which is why Digital River’s name appears on the transaction but we do not host their store.”
AMD hasn't responded to a request for comment. However, originofspices says AMD sent him a T-shirt to thank him for the discovery. With the bug now patched, he’s hoping scalpers will have a tougher time obtaining GPUs from AMD’s website, which could make it easier for normal consumers to land one.
“I was just fed up with scalpers buying up all of the parts and selling them at big markups. The fact that the bug is fixed and (hopefully) more end users can buy parts is the thing I'm pleased about,” he said.
Editor's Note: This story has been updated with comment from Digital River.
Get Our Best Stories!
Sign up for What's New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
