Sep 14, 2011

Amazon Login May Accept Password Variants


The online shopping portal Amazon may accept password variants during login according to the German technology news site Heise Online. According to their information, Amazon may accept passwords that are not the exact password of the user account. The login script may ignore upper and lower case as well as characters after the eights position. Amazon would for instance accept the original password “Password123″ but also “password” or “password123″.
Not all Amazon accounts are affected by the security issue. According to Heise, only passwords that have not been changed for a long time are affected.
The only information available at this point in time is a test that Heise Online conducted. It revealed that a password that was changed last year was immune while older passwords were not. Some commenters in the forum were able to use password variants on accounts were passwords had not been changed since 2007.
Amazon users can test the vulnerability of their account by logging into Amazon. They could for instance change a lower case character to upper case, or append characters at the end of the password if it exceeds eight characters.
Affected accounts can be protected by changing the account password. Passwords are changed in the Change Name, E-mail Address, or Password setting under Your Account.

No comments:

Post a Comment