Old Amazon Accounts at Risk Due to Security Flaw

You might think you have a password that no one could ever guess. However, an Amazon  security flaw presents a whole new problem: Anyone trying to gain access to an account doesn’t actually need to know your exact password because a variation of it will do in some cases.

"It appears that for passwords older than a certain age, (indeterminate at this time) flawed hashing is used. If your password is > 8 characters you may be able to add garbage from the 8th character forward,” writes one Redditor in a thread dedicated to the topic.

"For example: Password = newpassword login using newpasswo11 might work. What this means is that all passwords older than X are effectively only 8 characters. It has also been pointed out that case does not seem to matter. If this flaw affects your password you can use NEWpasswo11, NewPassWo11, NEWPASSWO11, nEWpASSwO11, etc."

Another user explains that the problem probably stems from Amazon’s use of the unix crypt() function to encrypt older passwords.

"The main page of crypt states clearly that it truncates the input to 8 characters. (It also truncates each character to 7 bits but the consequences of that are less obvious.)" he explains.

So far it appears to only affect users who have Amazon accounts that are several years old and are still using the same password. Users in the Reddit thread say that some were able to exploit the flaw at first but it stopped working after they changed their passwords. Amazon has yet to comment on the flaw.

(via Wired)

Jane McEntegart works in marketing communications at Intel and was previously Manager of Content Marketing at ASUS North America. Before that, she worked for more than seven years at Tom's Guide and Tom's Hardware, holding such roles as Contributing Editor and Senior News Editor and writing about everything from smartphones to tablets and games consoles.

  • dogman_1234
    And I wanted to buy from Amazon! Well, hope they resolve it before anything goes down. Would hate to see them fall with the hundreds of stolen passwords. Think of what would happen to THG if this happened.
  • trainreks
    they just realized this ? I realized this months ago when i accidentally mistyped my password and it let me in
  • dalauder
    So my first 8 characters of my password still work--it's just not case sensitive. This isn't really a big deal, but Amazon should have notified users of a "change to password policy" that required all users to create a new password and allowed the previous password to be used.
  • Hey, how did you guys know my new password?
  • endoftheline2
    I tried this flaw and it does not work on my current password, which I have not changed for quite some time.

    A bigger security issue, is the fact they still let you use a 4 character password.
  • gagaga
    otacon72I hope you're being sarcastic..if not you might want to read the article. It has nothing to do about stealing passwords. I use the same 10 digit alphanumeric with ascii characters password for everything. Someone wants to try an crack that be my guest.
    What, like the rogue admin of a site you use that stores passwords in clear text in their database?

    Strong passwords are only strong if they are only used in one place.
  • marcus_br
    Yes, VERY insecure...you just have to guess a 8 digit alphanumeric password, put simply...your chances are: 1 in 37 exp 8...a very easy to crack pass...at 3.512.479.453.921 possibilities.

    Considering the account gets locked when you try X times...it may take just a few gazillion years...VERY RISKY!
  • ssddx
    gagagaStrong passwords are only strong if they are only used in one place.so true. everyone should keep a spare binder around with the hundreds of different username/passcode combinations. all alphanumeric with special characters. this isn't going to happen for the majority of society. at least the pasword isnt 123456.
    amazon should really send out an email telling people to update their passwords (if only to change them right back) just so the accounts get updated. the first 8 characters of a password should be strong anyways (if not perhaps rethink your password!)
  • waikano
    Just checked mine. Case sensitivity was not working (in that if I used the wrong case I could still get in), but I couldn't just add anything after the 8th character to get it to work. So not sure what gives there. After changing it, both case-sensitivity and 9+ characters appear to work securely.
  • PudgyChicken
    Yet again, another piece of old news. Get with the times TH.