critical cross-site scripting vulnerability has been reported by "See Me
" for Amazon Seller Central
, a secure website where sellers who signed up for the "Checkout by Amazon" service can view and manage their orders.
The XSS bug affects the "Password Assistance
" page, thus becoming the ideal phishing weapon for fraudsters who target sensitive personal and financial information. As you can view in the following screenshot, "See Me
" injected an iFrame tag that retrieves the first page of XSSed.com. Instead, with border set to 0 in the tag, it could retrieve a deceitful seller central user login page that logs authentication credentials in cleartext and sends them to the fraudster's e-mail inbox.
Amazon is usually quick at remediating security issues affecting their online properties. Of course, they should go through a thorough source code security review and testing before they put stuff live.