From time to time it may be necessary to notify customers of security and privacy events with Amazon Payments. We will publish security bulletins below.
A vulnerability has been reported in the way code samples for two Amazon Payments products, Amazon Simple Pay and the Amazon Flexible Payments Service (FPS), handle application-side signature validation of outbound notifications. This impacts applications that utilize Amazon Payments code samples and that verify signatures on return URL responses or Instant Payment Notifications.
To address this issue, we will be deprecating support for application-side PKI-based verification of outbound notifications, have published new code samples that utilize the FPS VerifySignature API for verification, and outlined deprecation steps on the Amazon FPS discussion forum. Active FPS and Amazon Simple Pay customers using Signature Version 2 have been notified of the necessary updates. While our investigations have found no evidence of misuse, the change is necessary to ensure proper verification of payment notifications. On November 1, 2010, we will no longer process payment transactions for applications using application-side PKI-based verification of outbound notifications.
Thank you to Rui Wang of the School of Informatics at Indiana University for reporting this issue.
Please send comments or questions to fps-am-assist@amazon.com.
Please e-mail us directly at security@amazon.com to report suspected vulnerabilities.