Amazon Pay Security Advisory APSA2016-01
Amazon Pay and Login with Amazon SDK message spoofing
Who needs to read this?
This advisory only applies to developers that consume the legacy Checkout v1 Amazon Pay and Login with Amazon SDKs. For the newest version of Amazon Pay, see the developer documentation.
Executive summary
Spoofed Amazon Pay and Login with Amazon SNS messages could be incorrectly checked as valid. The SDKs have been updated to validate the TLS certificate endpoint during reception of IPNs.
Affected software
This advisory is related to the following software versions.
Amazon Pay and Login with Amazon SDK (in English)
Language |
Version |
Link |
C# |
<= v1.0.14 |
https://github.com/amzn/login-and-pay-with-amazon-sdk-csharp |
Java |
<= v1.0.16 |
|
PHP (Legacy) |
<= v1.0.14 |
https://github.com/amzn/login-and-pay-with-amazon-sdk-php/tree/Legacy-US |
PHP (New) |
v1.0.0 |
|
Python |
v1.0.0 |
https://github.com/amzn/login-and-pay-with-amazon-sdk-python |
Suggested actions
Amazon recommends you upgrade to the latest SDK version. The latest version includes additional protections against message spoofing. See the affected software table for affected versions.
Advisory FAQ
What is required for exploitation?
An attacker would have to craft an SNS message with knowledge of the message responses your application is expecting. These messages could be incorrectly accepted by the application as valid messages.
I have made purchases on Amazon.com or sites using Amazon Pay. Is my information secure?
Yes. This issue does not affect the confidentiality of any customer data.
Other information
Documentation
Refer to https://pay.amazon.com/documentation for SDK documentation.
Support
Refer to help options at https://pay.amazon.com/help.
Recognition
John Jean for his help in identifying this issue.
Revisions
V1.0 — Advisory published 18 April, 2016.
