Kindle Fire Security, Part III- Making Purchases With A Deregistered Device
This issue was disclosed to Amazon several weeks ago. Amazon did a great job at responding, replicating the problem, and working towards a fix. Below is the disclosure, response, and remediation timeline:
- November 23, 2011: Notified Amazon
- November 23, 2011: Amazon acknowledged the issue
- December 9, 2011: Update from Amazon on forthcoming patch
- Sometime Before The End Of December, 2011: Security update released
Each Kindle Fire is registered and tied to an Amazon account. A registered device has access to the Newsstand, Books, Music, Apps, and so forth. A registered device also has access to make purchases on behalf of the account tied to the device. After you’ve registered the device and tied it to an Amazon account, you have access to all of those services and aside from unlocking the device, you do not need to re-authenticate to make purchases.
In the event a device is lost, given to a family member as a gift, etc., the device owner can deregister the device through the Amazon website. Upon deregistering the device, access is immediately revoked from ordering content including Books, Newsstand, Video, Apps, and Music. However, the ability to continue using the registered account to order ACTUAL ITEMS, is not.
In fact, the session token used to allow a user to continue making purchases through the Amazon store has a lifetime of approximately 72 hours after deregistering the device. While testing, I was able to continue making 1-click purchases for 3 days after deregistering the device. I kept ordering and canceling until the session token eventually stopped working and the device began requesting a new set of credentials. 3 full days with unauthorized access to make purchases.
The next Kindle Fire update should contain a fix for this issue. I’m guessing this issue also requires a server side fix in order to immediately revoke the existing token used for the Amazon app on the deregistered device.