Over the course of the last few days I’ve discovered what appears to be – or possibly to have been – a fairly notable potential security hole in the Amazon UK website (and possibly others, but I only use the UK site on a regular basis). I will go into detail below about the nature of the security hole and how I discovered it – but first I want to point out that I’ve been trying to cause the problem to manifest itself again today, and failing. This might mean that the problem – which appears to have been triggered on my own Amazon account in August 2010 – has already been fixed. It might also mean, however, that I simply haven’t been able to establish all the variables that caused it to happen.
In other words, the problem I am about to describe might already be fixed, or it might not. I have no way of knowing one way or the other.
I was planning to wait before publishing this, but I’ve decided to proceed because I am somewhat less than happy with Amazon’s response to my emails on the subject – details at the very end of this post.
Background: The events leading up to my discovery
As I’ve mentioned elsewhere, my normal approach when conducting business online is to use a unique email address for companies from whom I am purchasing, and to ensure I am not signed up to receive any marketing emails. What I haven’t mentioned is that I have two domains that I use specifically for this purpose – one that I originally used, and a newer domain that was intended as a replacement; I registered the second domain and planned to migrate the more regularly used unique addresses over to it from the old one. To this end, whenever I re-visited a website in order to purchase something, if I hadn’t at that point already done so I would log into my account and change the email address.
According to my email archives, I carried out this step with Amazon’s UK website on 29th August 2010: I logged into my account, and changed the email address on that account from the unique address at my old domain to a unique address at the new one. I received two emails confirming this – one came to the old address (giving me the opportunity to put a stop to this change, in the event that someone else had gained access to my account and had instigated it) and one came to the new address.
Shortly after this, I began receiving unsolicited commercial email from Amazon to the old address. Somehow, although my settings were to not receive such emails, now that I had changed email addresses I’d started receiving them at the old address, which is clearly not right. Initially, I put this down to a glitch in the system and ignored them – but eventually, when it was clear that it wasn’t going to stop of its own accord, I decided to do something about it.
Without going into the full history, I made several attempts to stop these emails which, at times seemed to work for a brief period, though eventually they’d start again.
This week, I received three of Amazon’s emails in as many days to that old email address, and I decided enough was enough: I hunted around and found two email addresses for Amazon and, on 6th April 2011, I forwarded the third of their emails (from the address to which they had sent them) to these addresses with a very harshly worded complaint. A short exchange took place, and the last email I received in that initial exchange, dated 7th April, 2011, said:
I can confirm that the email address, [old address], is still linked to an account on the Amazon.co.uk website, although this account has not been used to place an order since March 2010.
And:
When you set up an account with Amazon, you are automatically subscribed to our promotional emails, and you must unsubscribe at the link included on my previous email. You may have unsubscribed your new email address from these emails, but when I checked yesterday, the [old address] email address was still subscribed to these.
There is at least one error in this – I didn’t change the email address with them until August 2010, and there were orders placed between March and August (I’m a fairly regularly Amazon customer – I don’t think a month goes by when I don’t place at least one order, usually more). My archives contain the confirmation emails that Amazon sent in this period- and all sent to the old email address. At this stage, I also noticed that even after the change of address I had continued to receive other emails from Amazon at the old one; things like dispatch notifications for items I’d ordered before changing the email address, but which weren’t due to be shipped until after.
Original conclusion: the cause of the promotional emails
My initial conclusion was that when someone changes email addresses on their Amazon account, what the Amazon system actually does is create a new account – effectively ‘forking’ the account into two. Logically, the new account would be the one based on the new address, but the statement that “When you set up an account with Amazon, you are automatically subscribed to our promotional emails” coupled with the events as described – that the old address started receiving promotional emails – suggests that the ‘new account’ status is applied to the one with the old address.
I began to draft a reply to their email, pointing out that this is a system which really needs to be addressed, but I didn’t have time to finish and I put it to one side, intending to carry on with it later.
As I drove to my client for the day, however, I gave the matter some thought, and realised that the problem could be far worse than my initial conclusion suggested: there could actually be a much more serious issue here, and I decided to test it at as soon as I had a chance. What follows is a step by step breakdown of what I did, with screenshots and my conclusions, along with my opinion of the seriousness of the problem.
Testing the theory: is the problem more serious than just promotional emails?
When I visited Amazon and attempted to log in I was presented with a page into which I needed to enter my email address and password, as any regular customer would expect if they weren’t at that point already logged in:
- amazon.co.uk log in screen
I entered my old Amazon address and, although I know my password, I wanted to work on the basis that I didn’t. I therefore clicked on “Forgotten your password?” and was presented with a request for my email address along with a captcha:
With the (old) email address and the text from the captcha entered, I clicked on “Continue” and I was presented with a page telling me that I would receive an email containing further instructions:
I checked my email and, as expected, I had one from Amazon (at the old address) containing a link on which I needed to click:
Upon clicking the link in the email, the page that opened allowed me to enter a new password:
After entering my new password and clicking “Save Changes” I was presented with a confirmation that I had successfully changed my password:
So, by this stage, I had successfully gained access to my old account without knowing the original password, only having access to email at the old address. I was now logged in.
As anyone who uses Amazon will know, at the top right of all Amazon pages there is a link to “Your Account”.
I clicked on this and was presented with the same “Your Account” page that any Amazon customer must be perfectly familiar with. A page that allows the customer to view their order history, change various account settings and various other things, including the ability to “Manage your Payment Methods”:
Clicking on this resulted in a prompt to enter my email address and password, and upon doing so (with the old address and newly changed password for it, obviously) I was presented with a screen containing the payment methods that were on my Amazon account at the time I changed the email address. Most of these had either expired before August 2010, or have expired in the meantime. However, there was one on the account that remained current, having an expiry date in August 2011:
So, in other words, this second account, apparently created on Amazon’s system at the point I changed the email address I use for them, is a complete snapshot of my account at that point in time. As noted earlier, any emails relating to orders that were incomplete at that point were sent to the old email address, and the account contains all my details – including my address and my payment methods.
Conclusion: A forked account on Amazon is an open account
When a customer places an order with Amazon, they are able to specify a delivery address, which may differ from the account holder’s address – and having now gained access to this second account, I could very easily use it to purchase goods from the company.
- What if I had changed my email address because I was intending to let go of the domain on which the address was set up?
- What if that domain was then taken up by someone else?
- What if the domain’s new owner downloaded all email for the domain, rather than set up specific addresses?
- And what if the domain’s new owner was unscrupulous?
The answer to that combined set of questions is that the hypothetical new owner of my old domain would be able to gain access to an Amazon account in my name and order goods using any of my cards that was still valid.
I am a very regular Amazon customer. I buy a lot from them and because of this, although I am very meticulous about checking credit card statements etc, if I see a number of Amazon transactions and know that I’ve used Amazon a number of times during the month (or received goods I might have ordered some time ago), I take it as read that they are correct. I don’t check them individually. What this means is that if I had let the old domain go and, as a result, someone had gained access to my forked Amazon account using the above method, they could have purchased goods from Amazon and I probably wouldn’t have noticed. (Smallish purchases, anyway – larger ones would have set alarm bells ringing).
(Obviously, in light of this, in future I will be comparing any payments to Amazon on my statements with actual orders placed and goods received.)
A similar scenario could occur for individual email addresses; I assume ISPs don’t habitually re-use defunct addresses for new customers, but I have seen instances where people have used their address at their place of employment for purchasing goods online, and these addresses might be continued after they leave so as to ensure no important business communications are lost.
Forking the account now: Has the problem already been resolved?
I have attempted to cause the account to fork again, by doing what appears to have caused this to happen in August: by changing the email address. I made three attempts at doing this using the account associated with my old address.
Firstly, I simply logged in and changed the email address, and then tried to log in using the old address using the same method as above – i.e. working on the basis of someone who doesn’t have the password, only access to the email account, exactly as I did before. The attempt failed.
I also attempted to simply log in using that old address and the new password I’d set up for it earlier – and this, too, failed.
Secondly, wondering if the reason the forking occurred in August was because I had outstanding orders on the account (remembering that I received subsequent notifications regarding those orders at the old address, rather than the one I had changed it to) I used the newly changed details to log into the old account and place an order for an item that won’t be sent out until October 2011, before changing the address once again, and repeating the above log in/password reset trials. In both cases I had the same results – both attempts failed.
Thirdly, wondering if the significant factor was the number of outstanding orders, I changed the email address for my ‘real’ Amazon account – the one that I carried on using with the new email address, oblivious to the fact that I now had two accounts. Having changed the email address, I again attempted to log in using the pre-change address, as well as to reset the password using that address, and both of these attempts failed.
It therefore appears that although my Amazon account forked when I changed the email address in August 2010, I can’t seem to make it happen now.
There are a number of possible explanations for this.
- The problem that caused my account to fork in August has already been fixed: Amazon had already become aware of it at some point between August and now – so it shouldn’t happen again for me or anyone else who chooses to change email addresses.
- The problem that caused my account to fork in August has already been fixed, by accident when Amazon made some other changes to the system – so it shouldn’t happen again for me or anyone else who chooses to change email addresses.
- The problem is still there, but I haven’t worked out all the variables: Some specific set of circumstances, more than just outstanding orders and a change of email address, causes the fork to occur.
- The problem was never a simple case of this is what would happen if… instead, it’s a glitch; some intermittent fault in the system that could cause the fork to occur, with no easy way to determine why or when.
If the situation is #1, and Amazon have already become aware of and fixed the problem, then they should surely have made some effort to ‘clean up’ and not leave these forked accounts on their system, waiting for someone to find them – as I have now done with my own – or to contact customers who might be affected, customers who have at any point changed their email addresses with Amazon.
If the situation is #2, then Amazon now needs to make that same effort to ‘clean up’ etc. that they should have already done if the situation is #1.
If the situation is #3 or #4, then Amazon needs to start investigating the problem with a view to resolving it as soon as possible – and, again, they need to make some effort to identify and ‘clean up’ any already forked accounts.
In all cases, just leaving the accounts live on their systems waiting to be used and/or abused would be totally unacceptable.
Amazon’s response: Why I’ve chosen to publish now and not wait
After I realised and tested the possibility of gaining access to a forked account without a password, only access to the email address associated with the account, I sent an email to the Amazon customer service executive who had replied to my previous emails, explaining what I had been able to do and explaining that I considered this a significant risk. I sent further emails as I carried out my subsequent tests – my attempts to fork the account, which I hadn’t thought to do initially. These emails outlined what I had done, and what I believed the implications were.
I did and still do consider this a serious problem because, as I’ve said, the ‘forking’ problem might be fixed, but it might not and, even if it has, there might still exist forked accounts that could potentially be vulnerable – if my account forked, there is a very good chance it has happened to other accounts as well.
I would have therefore expected a prompt reply – those previous replies from Amazon were very prompt indeed – even if only to say “We’ve passed this on to the relevant department, who are looking into it,” and in one of my emails today, I made that point.
Note: The email address used in these circumstances appears to be a unique address, tied specifically to the customer contact that has been made. As such, although I was addressing my previous correspondent by name in the message itself, it’s reasonable to assume that anybody in the same department at Amazon would be able to read and respond to correspondence on any given issue.
This afternoon, I received this in reply to one of today’s emails:
I am contacting you on behalf of my colleague, [name], who is currently out of the office.
Please note that [name] will respond to your enquiry on her return on Monday 11th April 2011
That reply quoted my own emails back to me in full, which therefore confirms that the person who sent it must have been able to read what I had said – and should therefore have been able to see how important the issue is that I was reporting on.
And yet that person seemed to think it was acceptable to let it wait until Monday.
And that is why I’ve decided to publish this tonight.
11th April 2011: Update 1: Amazon passes the buck
This morning, I received the following email from the person with whom I have been communicating on this issue:
Dear Mr Hudd
Thank you for your emails.
We have researched your complaint, and I can confirm that if you change your email address on your account, you should still have just one account, and an email should be sent to you, to confirm the email address change.
What seems to have occurred with your account, is that when you entered your new email address, you may have inadvertently set up a new account. We have recently changed the system, so that only one customer account can be held with any email address.
If you wish for me to close the old account, held with your email address, [old email address], please let me know. Please note that we cannot offer any additional insight into the internal workings of Amazon.
Thank you for your understanding.
Regards
My inference from the first paragraph is that, just as I did on Friday, they’ve tried changing email addresses on one or more test accounts to see if the accounts forked, but it didn’t work and no secondary accounts were created – in other words, they couldn’t replicate the problem, which I was unable to do when I tried. The phrasing, to me, suggests that their conclusion is that the problem either doesn’t exist, or has magically fixed itself.
The second paragraph leans towards the former of those – that the problem doesn’t exist – by passing the blame for the creation of the second account onto me, the customer: “when you entered your new email address, you may have inadvertently set up a new account.” I’m undecided about the last sentence in that paragraph, which seems to have no bearing whatsoever on the problem I’ve tried to report.
Bearing in mind that, as I’ve explained above and in my emails to them, I received two emails from Amazon at the time I changed my email address to confirm that what I had done was change my email address, I’ve now checked the steps on the Amazon website, to see if there is something I could have inadvertently clicked to cause this to happen.
I logged into my (old) account, clicked on the “Your Account” link on the top left, and on the next page scrolled down to the “Settings” section, which will lead me to the relevant page of options:
From there, I would have clicked “Change Name, E-mail Address, or Password” to take me to the relevant page of options:
On this page, I would have clicked the “Change” button to the right of the email address, which would have taken me to the page that would allow me to change this:
I can see no option in that process that might have resulted in the accidental creation of a new account; no option box or link that I might have clicked on to achieve this while still causing Amazon to send me emails confirming that what I had done was change my email address.
All the evidence, in my opinion, points to Amazon’s system being the cause of this problem and I’m very unhappy with their dismissal of it – remember, Amazon retains customer credit card details (the full numbers for which can’t be seen, but they could be used on Amazon’s site) , as well as name and address and purchase order histories. This is not something that should be dismissed so quickly without a full investigation.
As an aside, this morning I created a new Amazon account. I did this because I wanted to see what emails it sent out when this was done – it’s a long time since I created my account, and I wanted to compare any “welcome” email(s) that might be sent with those password change confirmations. So far, although the account has been created and I can log into it – and I can see, by going to “Your Account” and from there to “E-mail Preferences and Notifications” that my new account is set to receive lots of promotional e-mails:
Obviously, I have now selected the “Do not send me e-mail” option on my newly created test account.
I have not, as yet, received any form of “Welcome” email to inform me that an account has been set up in my name, and giving me the opportunity to, for example, click an link to say “I am not this person. I have not created this account.”
11th April 2011: Update 2: Speculation on the cause and that it may be fixed
After posting the above update and re-reading it, something caught my eye. Specifically, the image showing the options to change a name, email address and password:
That page provides a separate button for changing each of those three things. In each case, you click the ‘Change’ button, which takes you to another page, and on that page you make your change and click a button to effect that change. This niggled at the back of my mind for some reason that I couldn’t, at first, put a finger on, so I began looking back over my emails – starting with the emails from Amazon confirming my change of email address in August last year.
I didn’t have to read any further – it was my memory of those emails that caused the above image to grab my attention. In both cases, they didn’t just say:
The e-mail address associated with your account has been changed. The old address was [old address]. The new address is [new address].
They also said:
You have successfully changed your password.
In other words, back in August I changed both my email address and password for Amazon at the same time.
With that in mind, I’ve just tried something else: I’ve changed my email address and password, one straight after the other. As I’ve pointed out above, these changes are made on different pages – and the resulting emails confirming the changes have come separately; one pair confirming the email change, and a different email entirely confirming the password change.
Since the emails in August note both changes at the same time, but not those today, it seems clear that at some point these changes could both be made on the same page and that this has subsequently changed. I’m inclined to suspect, therefore, that this could have been the cause of the problem – that changing both at the same time triggered the creation of a new account – and that the separation of these functions has stopped it from happening since.
However, that’s only speculation, and the point still remains that it may have happened to others and that there could remain forked accounts, potentially open to abuse, on the Amazon system.