With the Amazon Prime subscription you have many services such as Prime Video, Prime Music, Prime Pantry and so on. You also have a plan with only 5GB of free space on Amazon Drive and unlimited space on Amazon Photos. So, my question was: "What happens if I upload a file that isn't a photo, making it believe that it is? What kind of checks do they do on the file?".
First of all, I tried to upload a very huge file, a photo from NASA of 450MB just to check if there is any limit. The photo was uploaded without problems. So I can upload a big backup, good. And yes, I could have read Amazon Drive Photo and Video File Requirements but I would like to try by myself, because documentations aren't always updated.
The next step was simply change the extension of a file from .tar.gz to .jpg.
First try with simple extension's renaming...
The file wasn't recognized as an image, and I saw it in the statistics of the 5GB Drive storage, obviously, as you can see in the following screenshot.
Changing the extension doesn't work.
The only method to try was to create an ad-hoc file. No problem.
Craft The File
The first thing that I tried to do is simply merge two files: an image and a zip package. I thought to bypass the checks with the header of the image file, but why zip package? Because I would like to use this unlimited space for backups, and usually zip packages are commonly used.
So, I tried with a JPG image merged with a ZIP file following these steps:
- Create a ZIP file.
- Check the properties of the original JPG image.
- Merge the JPG image with the ZIP file.
- Check the properties of the new merged file.
This is the history of my Linux commands to create the merged JPG.
┌─[alesanco@parrot]─[~/Security/AmazonPhotos] └──╼ $ zip backup.zip node-v8.12.0.tar.gz notes.txt adding: node-v8.12.0.tar.gz (deflated 1%) adding: notes.txt (stored 0%) ┌─[alesanco@parrot]─[~/Security/AmazonPhotos] └──╼ $ file securitygifts.jpg securitygifts.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1600x1200, frames 3 ┌─[alesanco@parrot]─[~/Security/AmazonPhotos] └──╼ $ cat securitygifts.jpg backup.zip >> photo.jpg ┌─[alesanco@parrot]─[~/Security/AmazonPhotos] └──╼ $ file photo.jpg photo.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1600x1200, frames 3
I've used the cat command to merge the files, but, with steganography, there are many better ways to do it with high compression and obfuscated bytes, for example with steghide or stegosuite. Anyway, as you can see, the properties of the new merged file was the same of the image. Even Amazon Photos thinks it's an image.
Crafted file is recognized as an image.
But using binwalk we can see that it's not a normal image file.
DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 98327 0x18017 Zip archive data, at least v2.0 to extract, compressed size: 30154548, uncompressed size: 30393516, name: node-v8.12.0.tar.gz 30252952 0x1CD9F98 Zip archive data, at least v1.0 to extract, compressed size 60, uncompressed size: 60, name: notes.txt 30253247 0x1CDA0BF End of Zip archive, footer length: 22
Not a normal image file, but it was uploaded as a photo in the unlimited space, as you can see in the following screenshot.
To verify that Amazon doesn't strip or do other things that could corrupt my file, I downloaded it, changed the extension to .zip and extracted the package.
I can extract all files!
It works. So, with a simple cat command, using a random image, I could upload any file into the unlimited free space, such as encrypted backups, videos, warez, etc.
File Upload Bug? Not For Amazon.
I contacted the Amazon Security Team, they answered me really fast, but they told me that "the Prime Photos product team confirmed that this is currently working as designed".
Working as designed? So, if I've a Prime subscription, with this method I potentially could use Photos as backup storage without paying extra money, and this isn't a bug?
I don't know if it could be considered a security bug, but for me it's a bug and besides, I have unlimited free file storage now. Amazon says it's fine!