Hacker News new | past | comments | ask | show | jobs | submit login
Amazon Wish Lists Are Dreadfully Insecure (kentbrewster.com)
27 points by nutmeg on March 26, 2009 | hide | past | favorite | 8 comments



Is the "insecurity" worth the convenience of having a bookmarklet for making wishes?

I think it is. Someone could add a bunch of porn to my Amazon wishlist. But they probably won't.


So you can engage in some low rent hijinks.

I can also create an Amazon account in your name and add porn to a wish list and send it to your boss.

Wake me when this thing can purchase items using my Amazon account and send it to another address.


This is slightly offtopic, but I found out recently that Amazon Wish Lists are rather useful if you need to track down an owner of an e-mail, who doesnt want to be found.

Google was drawing blanks, then using Pipl the only hit was Amazon Wish List, from which I found the full name, after that Google took over.

I suppose the owner of the e-mail address could have used a fake name for the wish list, but usually people do not.


The article lists several lessons learned from this, but really there's only one huge issue: stop using GET to modify state that the user cares about! Use POST! It's not hard! Or rather, it's less hard than dealing with the subtle problems that crop up when you use GET when you should have used POST.


While that's good advice generally, it's not enough to protect you from CSRF attacks like the Amazon wishlist one.


Sketerpot has it: the very first thing I always try is a GET to all those Ajax endpoints that the script is POSTing to.


Looks like this has been fixed. I'm going to leave the post up in case people are curious about what was happening.


Worked for me. Returned my name and added a youtube link to my wishlist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: