As PC builders everywhere struggle to buy graphics cards, one internet user says he discovered a software bug in AMD’s online store to easily land GPUs.
On Wednesday, Reddit user “originofspices,” who asked that we not use his real name, posted about the bug, which he suspects scalpers knew about long before he found it. “I'm sure other people had discovered this months before I did. It was so easy to find,” he told us in a Reddit chat. “100% actual scalpers had discovered this vector and were buying up lots of parts.”
The bug essentially created a backdoor to AMD’s online store, which has been releasing limited supplies of Radeon graphics cards every Thursday or Friday. During the restocks, normal users have to navigate an often frustrating experience. For example, the site can buckle under the traffic or the GPU product won't be added to a cart.
However, originofspices says he was able to bypass the whole process, including the store's anti-bot measures, thanks to the bug. “My vector created a permanent link that would allow you to attempt to add any product to cart,” he explained. “The link could be hammered 24/7 without any restriction. The return would be a JSON packet that either showed failure or success.”
As a result, the moment AMD restocked an item, it could be quickly added to a cart. The same bug also exposed the inventory levels to the Radeon cards sold on AMD’s online store, as well as which warehouse would ship the product.
Since November, originofspices has been trying to buy a new graphics card amid the ongoing chip shortage. In February, he began exploring the computer code of AMD’s online store in the hopes of learning how to land a Radeon GPU during a product restock.
Originofspices later used the bug to help him buy a Radeon RX 6900XT card. But if you’re a desperate PC consumer hoping to exploit the vulnerability, you’re out of luck. Originofspices reported the vulnerability to AMD, and he says it's now patched.
However, he says he’s no computer hacker, or an expert in vulnerability discovery. Instead, the easily discoverable bug may underscore some poor design choices on AMD’s site, which uses services from e-commerce provider Digital River.
“The AMD web store that is run by Digital River was not well designed and was easily exploitable by unskilled users such as myself,” originofspices said.
Recommended by Our Editors
In response to the bug, Digital River told PCMag it actually doesn't host AMD's online store. “AMD’s site is utilizing our global seller services for managing payments, taxes, fraud and compliance. We are the seller of record, which is why Digital River’s name appears on the transaction but we do not host their store.”
AMD hasn't responded to a request for comment. However, originofspices says AMD sent him a T-shirt to thank him for the discovery. With the bug now patched, he’s hoping scalpers will have a tougher time obtaining GPUs from AMD’s website, which could make it easier for normal consumers to land one.
“I was just fed up with scalpers buying up all of the parts and selling them at big markups. The fact that the bug is fixed and (hopefully) more end users can buy parts is the thing I'm pleased about,” he said.
Editor's Note: This story has been updated with comment from Digital River.
The Link LonkApril 23, 2021 at 12:18AM
https://ift.tt/3vcFr6p
Bug in AMD's Online Store Allowed People to Easily Buy Graphics Cards - PCMag
https://ift.tt/2ZDueh5
AMD
No comments:
Post a Comment