Amazon Seller Central vulnerable to XSS

To demonstrate that the Amazon Seller Central password reset page is vulnerable to an XSS attack, a regular submitter to the website has injected an iFrame tag that retrieves the online project’s home page.

This in itself would no be such news, were it not for the fact that this XSS flaw could be used to gather sensitive information.

“With border set to 0 in the tag, [the iFrame] could retrieve a deceitful seller central user login page that logs authentication credentials in cleartext and sends them to the fraudster’s e-mail inbox,” says one of XSSed’s editors.

Here’s hoping that Amazon reacts quickly.