Agreed. My understanding is that having your password does not necessarily allow someone to see your CC number or order things on your behalf through Amazon, but it definitely does not seem like a best practice to go around handing out one's Amazon password. This sort of thing sounds like a good argument, though, for Amazon's implementing the sort of fine-grained permissions (in conjunction with a federated authentication system like oauth) one finds on twitter, FB, Google, and other services with a well-developed API and ecosystem. I would happily authorize a site like this to view my order history, even if I would not be willing to provide my password.
Also highly risky is AWS. Maybe an attacker can't order diamond rings for themselves, but they certainly could spin up a million EC2 instances to mine bitcoin.
The cost efficiency is terrible of course, but what do they care.
How could having your password not allow someone to order things on your behalf? All I need to get into my account is my password, and then I can order anything I want.
Fair point. They can order things on your behalf, but cannot easily order things for THEMSELVES on your behalf since they can't enter a new shipping address without reentering the card number. But that doesn't totally eliminate the risk. They could be prepared to swipe the stuff off your porch when it's delivered (since they could predict when this would be) or they could use their power to simply harass you.
