As shown below, the "x-main" value is sufficient to identify my account, which is named "samccsf".
This sounds like the same cookie re-use vulnerability, I published in 2013 and presented at BSidesLV and DEF CON, as shown below.
012ZNALPc0PXcGLZjEn6?jVFPO17A0Y8R6woXg?wGP0nyBYBZsMMJ98BiZ3UPqOr
Then I changed my Amazon password,
as shown below.
Reloading an Amazon page after the password change shows that the cookie value remains unchanged, which is very unwise.
If a user is changing a password, they are clearly making an effort to eject intruders, so Amazon should invalidate old cookies.
Sure enough, replaying an old request with the old cookie value still gets into my account, as shown below.
This exposes customers to persistent account compromise as reported by that Reddit user. An attacker with a stolen cookie can just continue to use the compromised account and password changes have no effect.
As I found out in 2013, almost no one cares about this problem, including Amazon. And, obviously, they still don't care. But it's only a matter of time. Eventually this insecure practice will go out of fashion, like plaintext logins, plaintext cookie transmission, and so many unwise Web app practices.
Everyone is welcome to hack me anyway, as long as they adhere to the restrictions in my disclosure policy. Have at it!
Posted by Sam Bowne, 3-1-18