FireEye found a hole in Amazon's security which meant that anyone using the retailer's mobile apps on Apple or Android devices could try accessing an Amazon account an unlimited number of times – so hackers could make as many password attempts as they liked until they got in.
This was in contrast to logging in via the Amazon website, which requires users to complete a ‘CAPTCHA' test after 10 incorrect password attempts.
“This design flaw provides attackers with the chance to crack any Amazon account's password using brute force,” said FireEye's Min Zheng, Tao Wei and Hui Xue in a 26 February blog post detailing the problem.
FireEye also branded Amazon's overall password policy “weak” and a security risk because it accepts commonly used and easily cracked passwords like ‘123456' and ‘111111'.
The researchers explained: “We know that the weaker the password, the easier for hackers to break into an account. Therefore, allowing weak passwords puts account safety to potential security risks.”
To prove their point, FireEye cracked the password of one Amazon account it set up within 1,000 attempts, using the latest version of Amazon's Android shopping client.
FireEye notified Amazon of the mobile-access problem on 30 January and was told it was fixed on 19 February.
But Amazon tackled the issue by patching its server so it blocks users from login if they try multiple incorrect passwords – rather than extending CAPTCHA protection to mobile devices. And Amazon has still not enforced a stronger password policy, potentially leaving its near 240 million active customer accounts at risk.
FireEye said: “In the future, we suggest adding CAPTCHA support for Amazon mobile (Android and iOS) apps, and enforcing requirements for stronger passwords.”
Jason Steer, director of technology strategy at FireEye, told SCMagazineUK.com via email: “Not introducing CAPTCHA on mobile platforms is a risk to all mobile users. The security protecting mobile accounts is not as strong as using the web directly and attackers will always seek to use the weakest route in. Given the number of mobile users this essentially makes fraud easier. Another factor is Amazon accounts. Attackers can also use an Amazon account holder's details to access other accounts given that most users use the same password on multiple sites.”
Steer added: “Using CAPTCHA on mobile platforms should be considered fundamental best practice. However, as we regularly see, mobile apps are being built and pushed out often before security teams within an organisation have the time to check. This is likely the case here, as Amazon has excellent security across the rest of its business.”
Amazon is the world's largest online retailer and one of the top 10 global information technology firms with 2013 revenue of £44.63 billion (US$ 74.45 billion). SCMagazineUK.com contacted Amazon for its views but they did not respond by time of writing.
FireEye's investigation has spotlighted broader issues around password security, said Adrian Culley, global technical consultant with Damballa, who believes that Amazon and other organisations should accept it's their duty to enforce strong passwords among users and customers.
Culley told SCMagazineUK.com: "Companies have a responsibility, at least morally if not yet legally, to assist their staff, clients and customers in choosing strong passwords. It is not reasonable for us to expect the whole of society to become cyber security experts. However, it is reasonable to provide help by enforcing basic standards.
He added: “There are no silver bullets and whilst the CAPTCHA system helps many, it is difficult for some people to use. We all expect the locks and keys for our cars to prevent them from being stolen - we do not expect to have to become master locksmiths in order for this to be so."
Steer commented: “Getting users to have stronger passwords is a problem older than computers and there is a trade-off between complexity and ease of remembering, meaning that we have to make it easier for humans to authenticate without the need for static passwords.
“In the industry we are seeing the emergence of authentication using biometrics and the FIDO alliance is making progress to make it easier for people to better authenticate themselves. The harder we make it, the more expensive it becomes and what is reasonable very much depends on the risk and cost to the customer and business.”
The need for strong passwords was underlined earlier this week when Hold Security revealed it had found 360 million new sets of user account details available on the cyber black market (SC Magazine UK, 26 February). Hackers could exploit this trove of information to try to access many different organisations, especially if the same password works multiple times.