AMD Web Store Still Vulnerable To 'Add To Cart' Bot Raids Despite Recent Fix
After a Reddit user alerted AMD to vulnerabilities within its web store that was making it easy for bots to buy hard-to-get graphics cards and other hardware before us regular folk ever stood a chance, it made some back-end changes and sent the user a t-shirt as a 'thank you' gift. All is now well in the world, right? Well, not exactly. There's still more work to be done on AMD's part.
We're not talking about work in the broader sense, like securing more silicon so that supply can catch up with demand, even while being ravaged by cryptocurrency miners and scalpers. Much of that is outside of AMD's control—manufacturing partner TSMC recently indicated the general shortage of silicon could linger through next year and even into 2023. Ooph!
In the meantime, retailers across the web are wrestling with bots, or automated scripts that are making it near impossible for the rest of us to buy graphics cards, high end CPUs, and anything else that is in short supply. To that end, Reddit user Originofspices reverse engineered AMD's web store and found a troubling vulnerability that allowed bots to circumvent anti-bot routines and add items directly to their carts, as well as peek behind the curtain and see AMD's inventory levels.
"A couple of weeks ago I reported the vulnerability to AMD cybersecurity and I'm excited to report that they have fixed the problem. Hopefully that's one less vector for scalpers to buy GPUs using bots. Good luck to everyone for upcoming drops!," Originsofspices wrote.
Kudos to them and AMD, but apparently the vulnerability is not completely fixed. Reddit user LRF17 has brought to attention that it is still possible to check the stock of an item in AMD's web store just by sending a post request when clicking the 'Add to Cart' button.
Click to Enlarge (Source: Reddit user LRF17)
Using this trick, if you want to call it that, scripted bots can send out stock notifications to opportunistic scalpers in advance.
"Bots like PartAlert can always instantly know if there is stock or not, now I let you imagine what a guy might do with bad intentions, CAPTCHA or not. The only thing AMD fixed is the script that could instantly add a [graphics] card to the cart. The problem with that is that with the script you could grab a GPU as fast as a bot manually," LRF17 explains.
It's just a frustrating situation all around. In some ways, it is akin to the back-and-forth between malware authors and antivirus developers—each side is constantly trying to render the other useless, and any victories on either side are usually short lived. And for those of us hoping to buy PC hardware, there's not a whole lot we can do but be patient, and let out a collective sigh.
