Feeds

Amazon purges account hijacking threat from site

XSS no more

Choosing a cloud hosting partner with confidence

Amazon.com administrators on Tuesday closed a security vulnerability that made it possible for attackers to steal user login credentials for the highly trafficked e-commerce website.

The XSS, or cross-site scripting, bug on Amazon Wireless allowed attackers to steal the session IDs that are used to grant users access to their accounts after they enter their password. It exposed the credentials of customers who clicked on this link while logged in to the main Amazon.com page.

It was discovered by Nir Goldshlager, a researcher from security consulting company Avnet. It was purged from Amazon about 12 hours after The Register brought it to the attention of the website's security team.

"This is very bad news," web application expert Jeremiah Grossman of WhiteHat Security said of the flaw shortly before it was fixed. People who fell for the attack would likely be unaware anything was amiss "since it all takes place on Amazon's website."

XSS bugs are the most commonly found security vulnerability, Grossman added. A similar flaw was recently exploited to give malicious hackers access to a heavily fortified server operated by the security-conscious Apache Foundation. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.