Skip to main content

Old Amazon Accounts at Risk Due to Security Flaw

You might think you have a password that no one could ever guess. However, an Amazon  security flaw presents a whole new problem: Anyone trying to gain access to an account doesn’t actually need to know your exact password because a variation of it will do in some cases.

"It appears that for passwords older than a certain age, (indeterminate at this time) flawed hashing is used. If your password is > 8 characters you may be able to add garbage from the 8th character forward,” writes one Redditor in a thread dedicated to the topic.

"For example: Password = newpassword login using newpasswo11 might work. What this means is that all passwords older than X are effectively only 8 characters. It has also been pointed out that case does not seem to matter. If this flaw affects your password you can use NEWpasswo11, NewPassWo11, NEWPASSWO11, nEWpASSwO11, etc."

Another user explains that the problem probably stems from Amazon’s use of the unix crypt() function to encrypt older passwords.

"The main page of crypt states clearly that it truncates the input to 8 characters. (It also truncates each character to 7 bits but the consequences of that are less obvious.)" he explains.

So far it appears to only affect users who have Amazon accounts that are several years old and are still using the same password. Users in the Reddit thread say that some were able to exploit the flaw at first but it stopped working after they changed their passwords. Amazon has yet to comment on the flaw.

(via Wired)