Recently, security vendor FireEye reported that a security hole in Amazon.com’s mobile program was found. Even if, it is now this vulnerability has been fixed, hackers have had an opportunity to an unlimited number of attempts guessing users‘ passwords.
At Amazon.com website entering password users may use 10 guesses and after that CAPTCHA is displayed for them; however, Amazon.com didn’t show CAPTCHA on its mobile applications for the iOS and Android platforms. This way, hackers were able to enter passwords for unlimited time. The research was done by FireEye researchers Min Zheng, Tao Wei and Hui Xue.
Amazon.com confirmed on February 19 that the problem was fixed.
Wei commented via email: “What makes things worse, many people just use the same password across different websites, so attackers can control more accounts than just Amazon’s after figuring out the password“. Moreover, the researchers also added that Amazon.com doesn‘t require “strong” passwords. It is possible to use weak passwords, such as, „123456“ or „111111“ and etc. which puts users‘s account at risk.
