Critical security vulnerability at Amazon fixed
Online merchant Amazon has fixed a critical security vulnerability on its web site that allowed access to user accounts. Amazon fixed the problem immediately after The H's associates at heise Security informed the company. The issue seems to have affected all of Amazon's web sites for individual countries around the world.
The exploit was trivial. All that was required was to make a post in the customer forum with a specially formatted title along the lines of
The pages with the injected code could be directly linked to, allowing malicious users to send the links by email, and could also be accessed directly from the forum. Amazon certainly could have quickly deleted the prepared forum posts with unusual titles, but that didn't happen. One public post that was part of the test stayed up for weeks without being discovered.
Michael E. discovered the vulnerability and informed heise Security, who passed on the details to Amazon yesterday afternoon. This morning, a spokesperson for the company called to say that the problem had been fixed.