Amazon Login May Accept Password Variants
The online shopping portal Amazon may accept password variants during login according to the German technology news site Heise Online. According to the information published there, Amazon may accept passwords that are not the exact password of the user account. The login script may ignore upper and lower case as well as characters after the eights position. Amazon would for instance accept the original password "Password123" but also "password" or "password123".
Not all Amazon accounts are affected by the security issue. According to Heise, only passwords that have not been changed for a long time are affected.
The only information available at this point in time is a test that Heise Online conducted. It revealed that a password that was changed last year was immune while older passwords were not. Some commenters in the forum were able to use password variants on accounts were passwords had not been changed since 2007.
Amazon users can test the vulnerability of their account by logging into Amazon. They could for instance change a lower case character to upper case, or append characters at the end of the password if it exceeds eight characters.
Affected accounts can be protected by changing the account password. Passwords are changed in the Change Name, E-mail Address, or Password setting under Your Account.
Update: It needs to be noted that the flaw still exists on all Amazon properties. Amazon customers who have been with the popular shopping portal for years need to change their passwords at the Amazon website to protect their account from the flaw in design.
It appears as if Amazon has changed the password functions on their sites in past years to protect new customers and those who change their passwords from the issue.
Advertisement
I noticed this issue before reading this artical and contacted Amazon who have more or less ignored me for the past two weeks. I have finally got so frustrated that I have closed my Amazon account. Considering that my credit card details were stored in my account I would have thought that Amazon would have take password validation much more seriously.
Totally annoyed with the response to this issue by Amazon that I will never use them again for online shopping.
The progress of Idiocracy sometimes even surprises me.
I am sure that this is not true – aha, yes, it’s a bug:
http://www.reddit.com/r/WTF/comments/f96w7/amazon_security_flaw_wtf/?sort=new
However with no Google info on the past week, I am beginning to wonder…
Wow, this is just dumb. Unlike other websites (e.g. Gawker), Amazon is a commerce site and may contain sensitive financial or personal info of its users.
If someone doesn’t use his account, delete it, not make it easier to hack into. If someone can’t access his account, then he should just make a new one. Unless he has an affiliate account or unused store credits, there is really no reason not to start afresh.