Menu

Merchant help

Amazon Payments Security Advisory APSA2016-01

Login and Pay with Amazon SDK message spoofing

Who needs to read this?

This advisory only applies to developers that consume the Login and Pay with Amazon SDKs.

Executive summary

Spoofed Login and Pay with Amazon SNS messages could be incorrectly checked as valid. The SDKs have been updated to validate the TLS certificate endpoint during reception of IPNs.

Affected software

This advisory is related to the following software versions.

Login and Pay with Amazon SDK (in English)

Language

Version

Link

C#

<= v1.0.14

https://github.com/amzn/login-and-pay-with-amazon-sdk-csharp

Java

<= v1.0.16

https://github.com/amzn/login-and-pay-with-amazon-sdk-java

PHP (Legacy)

<= v1.0.14

https://github.com/amzn/login-and-pay-with-amazon-sdk-php/tree/Legacy-US

PHP (New)

v1.0.0

https://github.com/amzn/login-and-pay-with-amazon-sdk-php

Python

v1.0.0

https://github.com/amzn/login-and-pay-with-amazon-sdk-python

Suggested actions

Amazon recommends you upgrade to the latest SDK version. The latest version includes additional protections against message spoofing. See the affected software table for affected versions.

Advisory FAQ

What is required for exploitation?

An attacker would have to craft an SNS message with knowledge of the message responses your application is expecting. These messages could be incorrectly accepted by the application as valid messages.

I have made purchases on Amazon.com or sites using Pay with Amazon. Is my information secure?

Yes. This issue does not affect the confidentiality of any customer data.

Other information

Documentation

Refer to https://payments.amazon.com/documentation for SDK documentation.

Support

Refer to help options at https://payments.amazon.com/help.

Recognition

John Jean for his help in identifying this issue.

Revisions

V1.0 — Advisory published 18 April, 2016.