The online shopping portal Amazon may accept password variants during login according to the German technology news site Heise Online. According to the information published there, Amazon may accept passwords that are not the exact password of the user account. The login script may ignore upper and lower case as well as characters after the eights position. Amazon would for instance accept the original password "Password123" but also "password" or "password123".
Not all Amazon accounts are affected by the security issue. According to Heise, only passwords that have not been changed for a long time are affected.
The only information available at this point in time is a test that Heise Online conducted. It revealed that a password that was changed last year was immune while older passwords were not. Some commenters in the forum were able to use password variants on accounts were passwords had not been changed since 2007.
Amazon users can test the vulnerability of their account by logging into Amazon. They could for instance change a lower case character to upper case, or append characters at the end of the password if it exceeds eight characters.
Affected accounts can be protected by changing the account password. Passwords are changed in the Change Name, E-mail Address, or Password setting under Your Account.
Update: It needs to be noted that the flaw still exists on all Amazon properties. Amazon customers who have been with the popular shopping portal for years need to change their passwords at the Amazon website to protect their account from the flaw in design.
It appears as if Amazon has changed the password functions on their sites in past years to protect new customers and those who change their passwords from the issue.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.