THE INFORMATION HERE IS FOR ENTERTAINMENT PURPOSES ONLY. THESE ACTS WERE NOT ACTUALLY COMMITTED BY ANYONE ASSOCIATED WITH THIS WEBSITE.
Most Flexers by now know about the so called “Script Users”, people who are grabbing and accepting blocks straight from Amazon’s servers. These people are impossible to compete with. No human hands can accept faster than a script that is endlessly running. Few Flexers are aware of how these scripts actually work and just how easy it is to hack Amazon Flex to give yourself an advantage.
I’m writing this article NOT to teach Flexers how to hack the Amazon Flex app. This won’t be a tutorial, but we will gain some insights and learn that it’s far too easy to intercept traffic from the Flex app.
I hope that this article will inspire Amazon to take action to secure their API communications from within the Flex App. This would be beneficial to all honest drivers and give script users real problems.
Man-in-the-middle
A man-in-the-middle attack is where someone can intercept communications and alter them. In this case we’ll be snooping in on the Flex app, seeing exactly what it sends to and receives from the Amazon servers.
For example when you accept an offer the Flex app POST data to the Amazon server with the offers ID. With man-in-the-middle we can see exactly what is taking place from within the Flex app when we accept an offer. With some further snooping we could begin to automate the process.
As we see in the above image, in order to accept a block we need an offerId. How do we get these? While snooping all we need to do is tap refresh in the Offers screen. Now we see the GET request from the server and all that it returns.
Here we see a block priced at $54 and on the 5th line we see the offerId. Now all we need to do is send a POST request to the server with this offer ID and we will have accepted the block.
Way Too Easy
As we’ve seen anyone who can set up a simple man-in-the-middle proxy and connect their phone to it can begin snooping on the Flex app. With that we can quickly learn to automate the accepting offers process.
With a little coding we could create a script to send request directly to Amazon’s server every millisecond if we wanted. Obviously no human could hope to compete with this fast of a process and Amazon has made it super simple to snoop in on their processes within the Flex app.
Fix It
Amazon has apparently taken no action what so ever to secure their communications. It’s incredibly simple to snoop in on their app and see things that we weren’t meant to see. Like how to accept an offer without ever opening the Flex app by making a quick script. Anyone with a little tech savviness could figure this out. It seems Amazon has underestimated their contractors abilities. As a result we’ve got script users taking all the blocks at impossible to compete with speeds.
It’s time for Amazon to fix this issue and shutdown script users for good. They need to make changes to their API and secure network communications from within the Flex app. If this were to happen we driver’s would see a massive improvement in our ability to accept offers.
Appreciate it! Flex on.
Sources:
Comments (1)
Panda Girlsays:
June 10, 2019 at 10:34 pmThank you so much for proving the rumor isn’t fake news. What is more alarming is that I have oberved that these script users can even steal reserved blocks offered to other users. I have many occassions where I receive a highly-sought-after reserve block offer. But when I click on it, it says that it is no longer available. In other cases, the reserve block should stick on your screen even when you reserve. For those sought-after blocks, they will immediately disappear off the screen.
Another issue I have encountered is that the script users also have the capability to alter routes. (I know for sure that the station I work at has an individual using scripts to capture all the blocks with several accounts. He then distribute them amongst his crowd of subscribers.) Those individuals who use scripts and subscribe to script services often suddenly new stops or better routes. And the regular folks are left with 1 or 2 stop to the furthest distances for a 2 to 3 hr block. Even after we scan in the packages, it can fall off our list. And those script users would then come up to us saying if we have any of their packages. Has that happen to other drivers?