A strange password bug was identified on Amazon, where the casing and everything after the first eight characters is ignored for older access codes.
The discussion about this problem
was started on Reddit by a user who noticed that Amazon's system would authenticate him even if he mistyped the ending of his password.
Apparently, the issue exists only for access codes longer than eight characters. For example, someone with a password of "iloveyouamazon" would be able to also log in with "iloveyoufacebook" or simply "iloveyou."
At first this might sound like a serious security flaw, but after analyzing the implications one realizes that the impact is quite limited.
Even if an attacker would decide to hack everyone whose password starts with "iloveyou" or some other common eight-letter word, they would still need to find out their email addresses.
Giving the sheer size of Amazon and the likely protection against brute force attacks, finding even a single match would probably take a lot of time, even with lists of already harvested email addresses.
In addition, the password must not have been changed in a long time, because this trick does not appear to work with newer access codes.
That's probably because the source of the bug is an old password hashing algorithm. For example, the behavior of the Linux crypt() function matches the description.
The insecure crypt() function was also a key element in the major compromise that resulted from the leak of Gawker's user database last month.
However, the main reason why the accounts were hijacked was the availability of the database in the first place, which allowed attackers to execute local brute force attacks against the hashes. This is certainly not the case with Amazon.
The company could easily solve the problem by forcing everyone affected to confirm their password by typing it twice next time they log in and using the ocassion to generate an improved hash.
Find us on Google+
