A new Security loop hole in amazons Mobile Application is found by Security Researchers at Fire Eye. FireEye Predicts that Amazon’s Mobile application has been exploited by hackers to crack the passwords of amazon users. The Flaw is No login Limitations, Weak password Policy and No CAPTCHA for passwords attempts. In today’s world every website or Mobile application follows these three policies. This flaw was detected in Android and iOS apps.
According to FireEye, “As there is no limitation to the number of incorrect passwords and there are no CAPTCHA options for App Users, Attackers can easily use Brute-Force method to crack passwords.”
While Amazon Website user’s has to Enter CAPTCHA code after number of failed login attempts, but such options were not available in the Android App and iOS app of Amazon.
amazon android app
Image Credits: androidcommunity.com

One way of preventing Brute-Force attack is to enforce strong password policy that means that the password should contain a combination of lowercase letters, uppercase letters, Symbol and few numbers. However Amazon does not follow any such strong password policy and they openly allow users to keep their passwords as “123456”, “abcdefg”, “qwerty”..Etc. But some technologically challenged people use such weak passwords so that it is easy to remember but they don’t know that this very weak password and any attacker can easily use their Amazon accounts for wrong purposes.
After discovering this vulnerability FireEye Says that “After receiving our vulnerability report, Amazon hot fixed the first issue by patching their server. Now if the user tries multiple incorrect passwords, the server will block the user from login. In the future, we suggest adding CAPTCHA support for Amazon mobile (Android and iOS) apps, and enforcing requirements for stronger passwords.”