According to FireEye, “As there is no limitation to the number of incorrect passwords and there are no CAPTCHA options for App Users, Attackers can easily use Brute-Force method to crack passwords.”
While Amazon Website user’s has to Enter CAPTCHA code after number of failed login attempts, but such options were not available in the Android App and iOS app of Amazon.
|Image Credits: androidcommunity.com|
One way of preventing Brute-Force attack is to enforce strong password policy that means that the password should contain a combination of lowercase letters, uppercase letters, Symbol and few numbers. However Amazon does not follow any such strong password policy and they openly allow users to keep their passwords as “123456”, “abcdefg”, “qwerty”..Etc. But some technologically challenged people use such weak passwords so that it is easy to remember but they don’t know that this very weak password and any attacker can easily use their Amazon accounts for wrong purposes.
After discovering this vulnerability FireEye Says that “After receiving our vulnerability report, Amazon hot fixed the first issue by patching their server. Now if the user tries multiple incorrect passwords, the server will block the user from login. In the future, we suggest adding CAPTCHA support for Amazon mobile (Android and iOS) apps, and enforcing requirements for stronger passwords.”