With the Amazon Prime subscription you have many services such as Prime Video, Prime Music, Prime Pantry and so on. You also have a plan with only 5GB of free space on Amazon Drive and unlimited space on Amazon Photos. So, my question was: "What happens if I upload a file that isn't a photo, making it believe that it is? What kind of checks do they do on the file?".

Some Tests

First of all, I tried to upload a very huge file, a photo from NASA of 450MB just to check if there is any limit. The photo was uploaded without problems. So I can upload a big backup, good. And yes, I could have read Amazon Drive Photo and Video File Requirements but I would like to try by myself, because documentations aren't always updated.

The next step was simply change the extension of a file from .tar.gz to .jpg.

Prima prova con la semplice modifica dell'estensione ...First try with simple extension's renaming...

The file wasn't recognized as an image, and I saw it in the statistics of the 5GB Drive storage, obviously, as you can see in the following screenshot.

Changing the extension doesn't work.Changing the extension doesn't work.

The only method to try was to create an ad-hoc file. No problem.

Craft The File

The first thing that I tried to do is simply merge two files: an image and a zip package. I thought to bypass the checks with the header of the image file, but why zip package? Because I would like to use this unlimited space for backups, and usually zip packages are commonly used.

So, I tried with a JPG image merged with a ZIP file following these steps:

  1. Create a ZIP file.
  2. Check the properties of the original JPG image.
  3. Merge the JPG image with the ZIP file.
  4. Check the properties of the new merged file.

This is the history of my Linux commands to create the merged JPG.

┌─[alesanco@parrot]─[~/Security/AmazonPhotos]
└──╼ $ zip backup.zip node-v8.12.0.tar.gz notes.txt
adding: node-v8.12.0.tar.gz (deflated 1%)
adding: notes.txt (stored 0%)
┌─[alesanco@parrot]─[~/Security/AmazonPhotos]
└──╼ $ file securitygifts.jpg
securitygifts.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1600x1200, frames 3
┌─[alesanco@parrot]─[~/Security/AmazonPhotos]
└──╼ $ cat securitygifts.jpg backup.zip >> photo.jpg
┌─[alesanco@parrot]─[~/Security/AmazonPhotos]
└──╼ $ file photo.jpg
photo.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1600x1200, frames 3

I've used the cat command to merge the files, but, with steganography, there are many better ways to do it with high compression and obfuscated bytes, for example with steghide or stegosuite. Anyway, as you can see, the properties of the new merged file was the same of the image. Even Amazon Photos thinks it's an image.

Crafted file is recognized as an image.Crafted file is recognized as an image.

But using binwalk we can see that it's not a normal image file.

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0           0x0         JPEG image data, JFIF standard 1.01
98327       0x18017     Zip archive data, at least v2.0 to extract, compressed size: 30154548, uncompressed size: 30393516, name: node-v8.12.0.tar.gz
30252952    0x1CD9F98   Zip archive data, at least v1.0 to extract, compressed size 60, uncompressed size: 60, name: notes.txt
30253247    0x1CDA0BF   End of Zip archive, footer length: 22

Not a normal image file, but it was uploaded as a photo in the unlimited space, as you can see in the following screenshot.

Unlimited space!Unlimited space!

To verify that Amazon doesn't strip or do other things that could corrupt my file, I downloaded it, changed the extension to .zip and extracted the package.

I can extract all files!I can extract all files!

It works. So, with a simple cat command, using a random image, I could upload any file into the unlimited free space, such as encrypted backups, videos, warez, etc.

File Upload Bug? Not For Amazon.

I contacted the Amazon Security Team, they answered me really fast, but they told me that "the Prime Photos product team confirmed that this is currently working as designed".

Working as designed? So, if I've a Prime subscription, with this method I potentially could use Photos as backup storage without paying extra money, and this isn't a bug?

I don't know if it could be considered a security bug, but for me it's a bug and besides, I have unlimited free file storage now. Amazon says it's fine!

The image used to head this article is called "Retro Camera" and was created by Michael Fugoso.