Amazon has patched a cross-site scripting zero-day vulnerability in its website after it was publicly disclosed.
The two days between disclosure and patch allowed an opportunity for Amazon accounts to be compromised and web browsers exploited.
A Brazilian hacker using the handle @BruteLogic published the flaw to XSSposed.org, saying that Amazon did not pay cash for bug bounty reports. He said that the vulnerability allowed attacks to view Amazon user credit cards and to purchase items in their name, provided a victim clicked on a crafted malicious link.
FULL STORY