We found out that account information leaked via Amazon's customer service


ByZlatko unger

In order to protect accounts registered in web services, we often use a method such as using automatic generation passwords or 2-step verification, but sometimes unexpected places become loopholes sometimes. I used Amazon's service "Eric"Finds out that his account information was leaked via customer service which is the inquiry window of Amazon and it is obvious that even if increasing the security of login information, it may not be effective I am doing it.

Amazon's customer service backdoor - Hacker Daily - Medium
https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4

Software engineer Eric said he was a heavy user of Amazon's online shopping as well as Amazon Web Services (AWS), saying "Amazon was one of the few companies that can trust security," he said, complaining about its security Although it was not, it seems that an event caused him to lose that trust.

One day, Amazon received Eric's message "I thank you for using our customer service" but I did not remember it. Eric thought that it was thought that Amazon's e-mail transmission error or e-mail about the exchange with the support center that I went quite a while ago was sent late, and I was not worried at first at first. However, when Eric contacted customer service about what he was concerned about, I found out the fact that "from Eric's account, I was inquiring about delivery of goods by chat type support service" I will.


Eric, who did not quite understand what it was, requested Amazon to send a copy of the chat. The contents of the conversation actually sent are published in the screenshot below.


When a user who names Eric asks "I want to know if the last purchased package has been delivered", the person in charge of the support center inquires whether "Eric" is the person who got in touch with "account name" " Mail "" Invoice address "question. Looking at the conversation record, you can see that the person in charge has determined that there is no problem after the user answers. However, according to Eric, the address that the user answered is the address of the hotel Erik previously used for domain registration of WHOIS database multiple times, it is not a real address. However, the address of the hotel used by Mr. Erik is in the area of ​​the same zip code as the billing address registered in Amazon, and the address of the hotel should match the IP address of the billing address.

In chat, when a user who calls Eric says, "I do not know the order number, it is about items I bought last", the person in charge replied "This product is about it?" The representative answers "The current location of the item is ○○○ and I will arrive at the address as planned" and the user asks the question, "Where is the shipping address?", The person in charge I have taught Eric's "shipping address and phone number". After that, the user confirms the balance of the gift card remaining in Eric's account, and then ends the chat.


From this chat you can see that a user who claims to be Eric used fake information about Eric from WHOIS's query and got Eric's real address and phone number. Eric immediately contacted Amazon and informed that his account is in danger, but from Amazon, "understanding that his account has security risks and contacting experts" It was said that there was a message to the effect. Eric carefully changed the credit card information registered in the account and the address.

Eric was relieved for a while, but after a while in about two months from the previous case, Amazon also got an e-mail from Amazon "Thank you for using this customer service" at this time. As soon as I confirmed it to Amazon, it turned out that a user named Eric again contacted the support center by chat.


According to the record of the chat, the user who claims to be Eric uses "bill address" illegally acquired in the previous chat, and the support person again erroneously judges that he is the one himself I have gone.


The conversation continues, and the user searches for the position of the item ordered last, almost the same as last time, and the user obtained "shipping address and telephone number (black painted area)".


Furthermore, the user requests "Please tell me the last 4 digits of the credit card used at the time of ordering." On the other hand, the person in charge replies, "I can not answer the credit card number, if you tell me the last 4 digits, I can answer whether I agree with the credit card number at the time of ordering." did.


However, the user does not show the attitude of talking to talk with saying, "Since credit card is workplace, it is not now, we need to report purchase information to boss, so if you tell me it will be very helpful." The person in charge asked, "Can I access my account now?" In order to help somehow, but the user answers "I can not".


After that, please tell me the expiration date of the user "If you do not understand", the person in charge "Can not tell even if only 2 digits are impossible if the last 4 digits are impossible. Person in charge "Can not do now I do not have a credit card?", The user "I do not have it I will log in later to confirm it", the person in charge "If you need confirmation, you can log in now" , The user "No, it is fine" and continued chatting.


It is a pity that the address and the telephone number have leaked out, but unfortunately it is unfortunate that the credit card information was not leaked out. However, again, Eric says that personal information was stolen via the support center, Eric contacted Amazon, "Do not teach any information to users who claim themselves only by name and address," from the company "in the future I will promise that no such thing will happen. "

Eric thought that he could not trust Amazon anymore and removed his address from his account. Although it seems to have sent safe days with this, e-mail to inform that Eric says to the support center from customer service once again will be received. It was not a chat this time but it was a telephone inquiry, so we could not get a record of the conversation. Eric said that he intends to contact Amazon again, but he said, "Amazon betrayed three times, it was in vain to do everything that I could do as a user, now I delete my Amazon account I am in the midst of doing it. "

in Web Service,   Security, Posted by darkhorse_log