Massive Amazon security hole “fixed” without comment

Aug 7, 2012
3
Massive Amazon security hole “fixed” without comment

If you use the internet - and we know you do - you need to read about the massive "hacker" meltdown experienced by an online journalist this week due to security holes between cloud systems in two major networks. The "hack" as some are calling it - rather a clever realization, when it comes down to it - had one user's account opened up with a simple phone call to Amazon. Once Amazon allowed the fake user to access one simple element in the victim's account, the rest came tumbling down like a house of cards.

The key piece to this puzzle was the Amazon call-in policy that allowed anyone to change an email address of a user account just so long as they could identify the user's name, email, and physical mailing address. This ability is no longer allowed as of this morning, with Amazon commenting to Wired that they changed the policy for "your security", refusing to comment further.

The exploit - again this isn't really a hack when it comes down to it, only needed the "hacker" to have the victim's email - easy to guess - their full name - again, obvious - and their physical mailing address. This last bit was available, in this case, in a "whois" of a site that the victim owned. A "whois" is a listing of the ownership of a website, aka "Domain Registration Information" that many web hosts make available without question.

Once the hacker was able to change the email of his victim's Amazon account, they were also able to see the last four digits of the victim's credit card - these last four digits available to any person who is logged in to their own account, of course. Once the hackers had this, they were able to call in to Apple's iCloud support with said information to "confirm" their way into his iCloud account as well. One company's freely available account information used to easily bust in to another's.

Now this "hole" is fixed, but you need to still be on your guard. Keep your eyes open for exploits such as these, have a peek at our post this morning about double-locking your Google account, for example, and simply stay smart.


Must Read Bits & Bytes