Just
another critical cross-site scripting vulnerability has been reported by "
See Me" for
Amazon Seller Central, a secure website where sellers who signed up for the "Checkout by Amazon" service can view and manage their orders.
The XSS bug affects the "
Password Assistance" page, thus becoming the ideal phishing weapon for fraudsters who target sensitive personal and financial information. As you can view in the following screenshot, "
See Me" injected an iFrame tag that retrieves the first page of XSSed.com. Instead, with border set to 0 in the tag, it could retrieve a deceitful seller central user login page that logs authentication credentials in cleartext and sends them to the fraudster's e-mail inbox.
Amazon is usually quick at remediating security issues affecting their online properties. Of course, they should go through a thorough source code security review and testing before they put stuff live.
