Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on ██████████

Hi Team, I hope this report finds you well. While going through the disclosed report (██████████) I found that the coupon code for free shipping is not redacted and can be used multiple times on any numbers of order on AWS merch store. (██████) ``` Free Shipping Promo Code (pick one): United ████: ████████ International: ███ ``` Disclosed Coupon in █████ - █████ Validation of Coupon - Before applying coupon ██████████ After applying coupon (██████) ████████ As you can see the shipping is now free, and if it wasnt free it would have cost ~ $43 Looks like the system only validates whether the coupon string exists and is active. Each time the coupon is applied, the system accepts it and recalculates shipping cost as ₹0. This results in a persistent ability to bypass shipping charges on every future order, with no expiration, tracking, or redemption log. This is a classic business logic flaw where a missing server-side usage validation check leads to direct monetary loss. Please help take look. Kind regards ## Impact - Unlimited free shipping for attacker indefinitely. - Can be automated with scripts to mass-create orders with no shipping cost. - Direct financial impact proportional to shipping fees per order. - Potential abusive reselling or arbitrage if physical goods are involved. - Violates intended business rules and promotion limitations.