Impossible account login a potential security hole for Amazon?
Fri 20 Nov 2015
A potential security issue has been raised with respect to the Amazon website.
The problem was discovered by a tech journalist, Kirk McElhearn while allowing two-step verification on his Amazon account. Mr McElhearn said in his post that he has accounts with the Amazon.com, UK and French versions.
The two-step process offers extra protection by requiring the user to sign in to the Amazon account with a unique six digit code that is sent via text message. What this process ensures is that no one can log into the Amazon account from a new, untrusted device without a code.
However, Mr McElhearn discovered that on logging in, somehow he had logged into his son’s account. This became a concern for a number of reasons. For one thing, Mr McElhearn’s son lives in another country. And when his son came to visit, if he ever wanted to log into Amazon, he would do so using his own laptop as opposed to his father’s. Another factor is that Mr McElhearn does not know his son’s password and neither has it been saved by Firefox.
Mr McElhearn wrote that the only link between his account and his son’s account is that they both have each other’s address in their Amazon address books.
Following the incident, Mr McElhearn attempted to communicate with Amazon to get to the bottom of the problem. However, on both occasions, Mr McElhearn received no satisfactory answer – the first time, he was cut off after making a phone call to the company, And while his second call put him through to a member of the team, Mr McElhearn was simply told to sign out of the account – before being put on hold and then again being cut off.
Concluding his experience, Mr McElhearn wrote: “I’m quite worried about this. I now have two-step verification set up, but I don’t understand how I could be logged into someone else’s account. At least it’s my son’s account, and not some stranger’s, but this simply shouldn’t happen.”