Reporter David Leo
`The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image below").
And I accidentally noticed this feature can be easily bypassed:
Knoppix 7.6.0 on Read-Only USB Stick - always "fresh" upon booting
Chromium 46 - not the latest
"US-WEST-2" EC2 Instance as proxy - always the same IP
1. Use Chromium to visit https://console.aws.amazon.com/
2. Put correct email and correct password there, and sign in
3. CAPTCHA is required
4. Clear cookie cache etc in Chromium
5. Use Chromium under "Lock Browser"(lockbrowser.com) with "txt/https-whitelist.txt" configured as the following:
6. Visit https://console.aws.amazon.com/ ... it should be an ugly page because CSS etc fails to load.
7. Put correct email and correct password there, and sign in
8. CAPTCHA is NOT required
I noticed this weird thing because I'm super lazy - don't add domains to whitelist if it works. Later, I thought, "oops, CAPTCHA is gone". Of course, I contacted Amazon, and they said it's not a bug.
REQUEST FOR COMMENT
1. Can you reproduce this?
2. Is this thing a bug or not?