Tech journalist Kirk McElhearn appears to have stumbled across a disturbing security problem on Amazon.
In a nutshell, Kirk found that after enabling two-factor authentication on his Amazon account his browser ended up logged in to someone else's account - his son's.
Now, the natural thing to do is to assume that Kirk's son had been using his computer and not logged off. But Kirk's son lives in a different country, and confirmed that every time he comes to visit he uses his own laptop and has never logged into Amazon on Kirk's computer.
Kirk says he doesn't know his son's Amazon password, and that his son's Amazon password hasn't been saved by the browser (Firefox in this case).
But there is, says Kirk, one link between his son's Amazon account and his - they both have each other's address in their Amazon address books.
There is a link between us: we each have the other’s address in our address books. But there is no other link. We did share an Amazon Prime account several years ago, but, while he still uses Amazon Prime, my Prime account ran out a few months before I left France, or about three years ago.
I tried calling Amazon FR to find out what happened. The first time, the call got cut off while I was waiting for my case to be escalated. The second time, a person told me to just sign out, as if it wasn’t a big deal. I explained that it was a big deal, that I shouldn’t be able to see someone’s account in any way, not even their shopping cart. After several minutes, I was put on hold for a long time, then the call got cut off.
I’m quite worried about this. I now have two-step verification set up, but I don’t understand how I could be logged into someone else’s account. At least it’s my son’s account, and not some stranger’s, but this simply shouldn’t happen.
I'd be concerned too. I hope Amazon can explain what is going on, and treat the investigation with appropriate seriousness.
Kirk might be unusual - he has accounts with Amazon.com as well as its UK and French equivalents, and there is no suggestion yet that goods could be bought from someone's account, or that you would be able to access a complete stranger's Amazon account... but what he experienced just shouldn't happen, right?
Read more about what happens on Kirk McElhearn's blog: Serious Security Problem with Amazon; How Is This Even Possible?