Security researchers from FireEye have uncovered security holes in Amazon’s mobile applications that could have been exploited by attackers to crack the passwords of Amazon accounts. The vulnerabilities have been addressed by Amazon.
The flaws – weak password policy, and no limitation or CAPTCHA for password attempts – impacted both the Android and the iOS apps.
CAPTCHAs are usually utilized to prevent attackers from breaching accounts with brute-force attacks. While on its website Amazon requires users to complete a CAPTCHA after 10 failed attempts, such protections were previously not implemented in the mobile apps.
Since there wasn’t any limitation to the number of incorrect password attempts and no CAPTCHA system was in place, cybercriminals could have used brute-force attacks to crack the passwords.
One way of preventing attackers from cracking passwords with brute force is by enforcing a strong password policy. That means requiring customers to set passwords containing both lower and uppercase letters, numbers and symbols.
However, Amazon allowed users to set passwords such as “123456” or “11111.” Since many people use these kinds of passwords, it would have been easy for cybercriminals to access accounts.
“After receiving our vulnerability report, Amazon hot fixed the first issue by patching their server. Now if the user tries multiple incorrect passwords, the server will block the user from login. In the future, we suggest adding CAPTCHA support for Amazon mobile (Android and iOS) apps, and enforcing requirements for stronger passwords,” FireEye experts noted in their report.