THE INFORMATION HERE IS FOR ENTERTAINMENT PURPOSES ONLY. THESE ACTS WERE NOT ACTUALLY COMMITTED BY ANYONE ASSOCIATED WITH THIS WEBSITE.
Most Flexers by now know about the so called “Script Users”, people who are grabbing and accepting blocks straight from Amazon’s servers. These people are impossible to compete with. No human hands can accept faster than a script that is endlessly running. Few Flexers are aware of how these scripts actually work and just how easy it is to hack Amazon Flex to give yourself an advantage.
I’m writing this article NOT to teach Flexers how to hack the Amazon Flex app. This won’t be a tutorial, but we will gain some insights and learn that it’s far too easy to intercept traffic from the Flex app.
I hope that this article will inspire Amazon to take action to secure their API communications from within the Flex App. This would be beneficial to all honest drivers and give script users real problems.
Man-in-the-middle
A man-in-the-middle attack is where someone can intercept communications and alter them. In this case we’ll be snooping in on the Flex app, seeing exactly what it sends to and receives from the Amazon servers.
For example when you accept an offer the Flex app POST data to the Amazon server with the offers ID. With man-in-the-middle we can see exactly what is taking place from within the Flex app when we accept an offer. With some further snooping we could begin to automate the process.
As we see in the above image, in order to accept a block we need an offerId. How do we get these? While snooping all we need to do is tap refresh in the Offers screen. Now we see the GET request from the server and all that it returns.
Here we see a block priced at $54 and on the 5th line we see the offerId. Now all we need to do is send a POST request to the server with this offer ID and we will have accepted the block.
Way Too Easy
As we’ve seen anyone who can set up a simple man-in-the-middle proxy and connect their phone to it can begin snooping on the Flex app. With that we can quickly learn to automate the accepting offers process.
With a little coding we could create a script to send request directly to Amazon’s server every millisecond if we wanted. Obviously no human could hope to compete with this fast of a process and Amazon has made it super simple to snoop in on their processes within the Flex app.
Fix It
Amazon has apparently taken no action what so ever to secure their communications. It’s incredibly simple to snoop in on their app and see things that we weren’t meant to see. Like how to accept an offer without ever opening the Flex app by making a quick script. Anyone with a little tech savviness could figure this out. It seems Amazon has underestimated their contractors abilities. As a result we’ve got script users taking all the blocks at impossible to compete with speeds.
It’s time for Amazon to fix this issue and shutdown script users for good. They need to make changes to their API and secure network communications from within the Flex app. If this were to happen we driver’s would see a massive improvement in our ability to accept offers.
Appreciate it! Flex on.
Sources: