Menu

Merchant help

Amazon Pay Security Advisory APSA2016-01

Amazon Pay and Login with Amazon SDK Message Spoofing

Who needs to read this?

This advisory only applies to developers that consume the Amazon Pay and Login with Amazon SDKs.

Executive Summary

Spoofed Amazon Pay and Login with Amazon SNS messages could be incorrectly checked as valid. The SDKs have been updated to validate the TLS certificate endpoint during reception of IPNs.

Affected Software

This advisory is related to the following software versions.

Amazon Pay and Login with Amazon SDK

Language

Version

Link

C#

<= v1.0.14

https://github.com/amzn/login-and-pay-with-amazon-sdk-csharp

Java

<= v1.0.16

https://github.com/amzn/login-and-pay-with-amazon-sdk-java

PHP (Legacy)

<= v1.0.14

https://github.com/amzn/login-and-pay-with-amazon-sdk-php/tree/Legacy-US

PHP (New)

v1.0.0

https://github.com/amzn/login-and-pay-with-amazon-sdk-php

Python

v1.0.0

https://github.com/amzn/login-and-pay-with-amazon-sdk-python

Suggested actions

Amazon recommends you upgrade to the latest SDK version. The latest version includes additional protections against message spoofing. See the affected software table for affected versions.

Advisory FAQ

What is required for exploitation?

An attacker would have to craft an SNS message with knowledge of the message responses your application is expecting. These messages could be incorrectly accepted by the application as valid messages.

I have made purchases on Amazon.com or sites using Amazon Pay, is my information secure?

Yes. This issue does not affect the confidentiality of any customer data.

Other information

Documentation

Refer to https://pay.amazon.co.uk/developer/documentation for SDK documentation

Support

Refer to help options at https://pay.amazon.co.uk/help.

Recognition

John Jean for his help in identifying this issue.

Revisions

V1.0 — Advisory published 18 April 2016