Uh-oh. Has an Amazon account security problem been uncovered?

Amazon wide

Tech journalist Kirk McElhearn appears to have stumbled across a disturbing security problem on Amazon.

In a nutshell, Kirk found that after enabling two-factor authentication on his Amazon account his browser ended up logged in to someone else's account - his son's.

Now, the natural thing to do is to assume that Kirk's son had been using his computer and not logged off. But Kirk's son lives in a different country, and confirmed that every time he comes to visit he uses his own laptop and has never logged into Amazon on Kirk's computer.

Amazon iconKirk says he doesn't know his son's Amazon password, and that his son's Amazon password hasn't been saved by the browser (Firefox in this case).

But there is, says Kirk, one link between his son's Amazon account and his - they both have each other's address in their Amazon address books.

There is a link between us: we each have the other’s address in our address books. But there is no other link. We did share an Amazon Prime account several years ago, but, while he still uses Amazon Prime, my Prime account ran out a few months before I left France, or about three years ago.

I tried calling Amazon FR to find out what happened. The first time, the call got cut off while I was waiting for my case to be escalated. The second time, a person told me to just sign out, as if it wasn’t a big deal. I explained that it was a big deal, that I shouldn’t be able to see someone’s account in any way, not even their shopping cart. After several minutes, I was put on hold for a long time, then the call got cut off.

I’m quite worried about this. I now have two-step verification set up, but I don’t understand how I could be logged into someone else’s account. At least it’s my son’s account, and not some stranger’s, but this simply shouldn’t happen.

I'd be concerned too. I hope Amazon can explain what is going on, and treat the investigation with appropriate seriousness.

Kirk might be unusual - he has accounts with Amazon.com as well as its UK and French equivalents, and there is no suggestion yet that goods could be bought from someone's account, or that you would be able to access a complete stranger's Amazon account... but what he experienced just shouldn't happen, right?

Read more about what happens on Kirk McElhearn's blog: Serious Security Problem with Amazon; How Is This Even Possible?

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

15 Responses

  1. Mike

    November 20, 2015 at 4:34 pm #

    Phone calls about a serious security issue cut off twice, the second time after a casual dismissal of the issue? I really hope Amazon clarifies this; don't be a late 90s Microsoft, Amazon!

  2. coyote

    November 20, 2015 at 7:02 pm #

    'or that you would be able to access a complete stranger's Amazon account… but what he experienced just shouldn't happen, right?'

    And if it has logged him into another account who is to say it won't be someone else ? If it is sharing addresses does that mean it could happen to people who aren't related (not that it should happen at all) ? And even if it hasn't been shown to be able to purchase items it doesn't mean it is impossible and neither does it mean they can't do other things – many potentially harmful things.

    That they dismiss it is just as big of a deal if not more serious than the problem. Shameful to say the least.

  3. Eddie

    November 20, 2015 at 8:03 pm #

    I enabled two factor Authentication, and after I did that, I have two different shipping addresses now. We both have the same name but I don't know who this person is. I deleted his shipping address from my account, but am worried if anyone can order from my account now.

  4. Pete

    November 20, 2015 at 8:07 pm #

    One wonders whether the same cavalier attitude and deficient service is representative of a similar attitude across the entire range of Amazon services. (…cut off TWICE while reporting a serious security issue!?!?! Unconscionable.)

    Considering the number of companies that use Amazon Web Services as distribution infrastructure (not to mention the millions that use amazon.com for purchases), such slipshod service could be a disaster waiting to happen.

    Kudos to Kirk McElhearn for smoking out this problem, and to Graham for reporting it here. Hopefully, the story will make a big enough splash that Amazon won’t be able to dismiss it as easily as they did when Kirk did them the favor of reporting it, and got nowhere for his efforts.

  5. Dairenn Lombard

    November 21, 2015 at 1:16 am #

    Someone once told me that when companies don't take a serious issue seriously, you call their Investor Relations department to ask them if they know what's going on. Customers supposedly are the biggest voices companies listen to, but in many cases, the voice they listen to even more closely are that of their possible shareholders.

  6. elaine

    November 21, 2015 at 1:46 am #

    THIS is why my debit cards keep getting hacked. I am positive it is Amazon employees, but maybe it's someone who just get into my account.. I have a card to my business account that never leaves the drawer by my chair. I used it on amazon one time, and POOF, it was hacked. Every time I get hacked, it's related to amazon.

    I have almost quit buying from them for this reason. Now that I know others can see account and get my number…well…that's it. I'll buy local if I need stuff. it gets really old dealing with this fraud crap.

  7. Christina

    November 21, 2015 at 10:41 am #

    elaine – I work for a major online payment processor and you may want to have your IT department check your computer for malware or spyware if your cards are getting hacked when you use them online. It happens more frequently than one would realize. Just trying to pass along a wee bit of helpful advice for you. All the best and Happy Holidays to you and yours :-)

    Dairenn Lombard – Investor Relations……….this is GENIUS!! I will remember your tip and Thank you for sharing!!! Happy Holidays to you and yours :-)

  8. Kirk

    November 21, 2015 at 10:47 am #

    I'm the person who wrote the original article. To follow up, Amazon security sent me an email via the contact form on my website, so I've sent them all the info I have so they can look into it.

    I found Eddie's comment above, about seeing a new address in his account, to be quite interesting. It reassures me, in some ways, to know I'm not the only person something weird happened to.

    If I get any info back from Amazon, I'll post on my website and here in the comments.

  9. Sas

    November 21, 2015 at 2:18 pm #

    I've had similar problems with Amazon, three times now, when I've called in for tech support the agents keep signing me up for Prime. My uncle even called in on his account a couple months ago, and somehow my account got signed up for Prime again. It took roughly 20 phone calls to have the issue resolved, then a week to get my money back each time. After all the headache this caused me to get corrected, I made them remove all credit and bank information from my account. I've realized after this most recent headache that Amazon needs to add some kind of account protection to prevent their agents from getting into the wrong account and making changes.

  10. Mike

    November 21, 2015 at 3:18 pm #

    Agree with Christina – ongoing card compromises like that are more likely to be something on your PC than someone in Amazon, though clearly neither can be ruled out without some digging.

  11. John Lewis

    November 23, 2015 at 10:47 am #

    My advice is never to fill out a profile on any account (LinkedIn, FaceBook, etc.) that holds card details, have one (credit) card specifically for online purchases, don't post any private information about yourself, and don't trust 2FA that uses semi-public information (e.g. your mobile phone number). I don't post my photo either but that is also because I am ugly (my mother told me when I was 13).

  12. Pjh

    February 15, 2016 at 4:16 am #

    I just had a similar issue. I ordered some items through amazon and was on my phone, checking the order status. I used the link amazon provided in my order email but when I click it I get someone else's email and their stored password. Should I contact amazon?

  13. MsJinnifer

    February 17, 2016 at 11:16 pm #

    A friend just told me that she has had £79 Prime fee taken from her bank account by Amazon. She has no account with Amazon — never buys from them, so obviously never signed up for Prime. Amazon have told her that " there is no account associated with the payment" — (what?). All they can suggest is that it happened because someone else sent her something — (ie had her address atrtached to their account, in their address book.) That someone was me but I haven't sent her anything for at least 6 months. They are refusing to repay the money. None of this makes any sense. Has someone else hacked my account? If so, how did that give them my friend's bank details?!

  14. gabs

    March 9, 2016 at 8:35 am #

    I've got a crazy tale dealing with Amazon.
    Had bad experience on chat with rude Amazon rep yesterday.
    1st time ever.
    Even told "Michael" that was being rude.
    By perfect chance "someone" requested that my Prime membership be canceled.
    Via Email through Amazon's own interface.
    When I received the email and contacted a supervisor at Amazon via chat, she played dumb.
    As if a hacker somehow got access to my Amazon Prime account and instead of ordering themselves goodies or other malarky decided to cancel my account.
    No one has access to my pc, no one knows of my little account.
    Occam;s Razor would point to an angry, crazed AMazon employee requesting my Prime account be closed.
    So now my account is locked and as a disabled person who relied heavily on Amazon, I am furious.

  15. Brendan

    May 10, 2017 at 6:38 pm #

    Did anything ever come of this whole situation. I am dealing with fraud in my Amazon account. I had a random address in my account around the time of the first fraudulent purchase. It is local to me which makes it that much weirder. I did enable two-factor authentication but it was a bit after this address was added(had to ask amazon when it was added). I can't figure out why that address was in my account and just wonder if it may have a direct connection with the fraud. (If you could email me a response I would appreciate the help)

Leave a Reply