Secure Amazon Seller Central password reset page XSSed

Written by DP

Wednesday, 13 October 2010

Just another critical cross-site scripting vulnerability has been reported by "See Me" for Amazon Seller Central, a secure website where sellers who signed up for the "Checkout by Amazon" service can view and manage their orders. 
The XSS bug affects the "Password Assistance" page, thus becoming the ideal phishing weapon for fraudsters who target sensitive personal and financial information. As you can view in the following screenshot, "See Me" injected an iFrame tag that retrieves the first page of Instead, with border set to 0 in the tag, it could retrieve a deceitful seller central user login page that logs authentication credentials in cleartext and sends them to the fraudster's e-mail inbox.
Amazon is usually quick at remediating security issues affecting their online properties. Of course, they should go through a thorough source code security review and testing before they put stuff live.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.