Amazon's security theater destroys password security

4 points by fxtentacle ↗ HN
Oh wow, I never expected such a fatal security flaw from Amazon: I just logged in to my account with email and password. They emailed me a one-time code because it was a new device. Afterwards, I could see my shipping addresses, billing data, etc. as usual and submit the order.

Then I got an automated email: "Someone unauthorized might have access to your account. To protect your security, we have disabled your password. Please use the following link to reset your password."

And now I can click the link and they'll email me an OTP code which I can use to login into the account WITHOUT ANY PASSWORD !!!

2 comments

[ 4.9 ms ] story [ 18.9 ms ] thread
If having your "second" factor is sufficient to reset your password, then it's your only factor and you don't actually have 2FA.
Relax, they have it... Oh wait. Maybe we're not supposed to know that part. I mean, can you check to see if you have a lingering session cookie or web token that could be used to verify you based on your previous interaction w/ your computer + browser + email (user-specific, sensitive profile info), I mean w/ Amazon (account-specific info)? Maybe also inspect both the email and the link, for good measure. I'm hoping, I mean assuming you're not using Chrome Browser?