Thursday, February 17, 2011

Amazon Vulnerability

By Cesar Ortiz
A security exploit apparently allows the company's servers to accept passwords that are nearly, but not entirely, correct. The flaw only appears to affect older passwords. The breach lets Amazon accept as valid some passwords that have extra characters added on after the 8th character, and also makes the password case-insensitive. That vulnerability erases the advantage of a longer password, making passwords much easier to crack via software. This was first noticed by users and has been picked up and verified by a number of people, including Wired Magazine, for example, if your password is “Password,” will also let you log in with “PASSWORD,” “password,” “passwordpassword,” and “password12345.” It does appear that newer passwords are not affected, but it isn't clear what the date cutoff is. In any event, a simple password change will correct the problem. The web site "Amazon Web Media Room" or "Safety and Security Tips" had nothing on this specific subject, up to the date of this post.

No comments: