I can manipulate your amazon.com recommendations

von Felix

I can put any item of my choice on your personalized amazon.com homepage. Did I hear you say Bollocks!? Well, here is proof:

  1. Open this page.
  2. Visit amazon.com.
  3. Observe Dale Carnegie’s classic How to win friends and influence people appear on your personalized amazon.com homepage (see screenshot below for comparison).
  4. Order it if you are interested, it is a great read (optional step ;-))!

So how does it work? The page contains a hidden iframe that triggers an HTTP GET request to the book’s page on amazon.com. Now amazon thinks you are interested in this article and recommends it and similar ones to you on their homepage. I would like to leave possible malicious applications to your imagination.

How to fix this? If the X-Frame-Options response header is set to SAMEORIGIN, modern browsers will not allow third party websites to include a page. Interestingly, the German amazon website amazon.de does this.

I have informed amazon.com of this issue via Twitter and E-Mail.

Disclosure: all links to amazon.com are referral links.

Update (2012-04-05): amazon.com got back to me and told me that they have added the X-Frame-Options header.

9 Kommentare zu „I can manipulate your amazon.com recommendations“

  1. Oliver schrieb am 28. März 2012 um 18:08:

    You’ll want to be careful – opening amazon in an iframe with a referral tag is explicitly against the referral program’s terms of service, which they *will* cancel your account for if left as is. Referral tags may only be used in the context of explicit and intentional clicks on the user’s part.

  2. Andrew Warner schrieb am 28. März 2012 um 19:06:

    It wasn’t recommended to me. But I do see it in my Amazon history.

  3. Vivian schrieb am 28. März 2012 um 20:32:

    perfect for book authors ;)

    but it’s actually a bit risky because amazon bans accounts if they try to do “cookie stuffing”

  4. Rich Dougherty schrieb am 29. März 2012 um 02:01:

    This is a cross-site request forgery (CSRF). To prevent the attack the *server* needs to disregard the *request*. It doesn’t matter whether or not the browser disregards the response to that request. By the time the browser receives the response it is too late, the server will already have processed the request. Therefore using X-Frame-Options won’t help in this case.

    The correct solution (I believe) is for the server to check for Referer or Origin headers and use those headers to determine whether or not the request is valid.

    The decision about which requests to accept may be a bit fuzzy in this case because Amazon probably wants to accept most requests that originate from external sites, but perhaps not all of them (as your attack shows).

    Strict CSRF prevention techniques are probably not desirable due to the fact that the recommendation system needs to be seamless to the end user. It would be inappropriate (for example) to ask the user for their password!

    Some references for the interested reader:

    http://en.wikipedia.org/wiki/Cross-site_request_forgery

    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

  5. Manning schrieb am 29. März 2012 um 06:30:

    Ich bin nicht ausgewirkt. Ich benutze Firefox 11. Ich “log in” wann ich ein Bücher kaufen wünsche, dann ich “log out.” Es ist nicht sehr sicher zu “logged in” immer sein!

    (Verzeihen Sie bitte mein Deutsch; das ist meine dritte Sprache).

  6. Blogger führt Amazon vor | TopApps World schrieb am 29. März 2012 um 14:50:

    [...] auf Amazon recht einfach manipulieren lassen, zeigt der Blogger Felix Middendorf auf seinem Blog Diskurswelt. Mit einer Testseite demonstiert er, wie das geht. Middendorf will damit jedoch nicht sämtliche [...]

  7. Thorsten schrieb am 30. März 2012 um 07:10:

    Hallo Felix,

    traurig genug das ein Welt-Firma wie Amazon, die “einfachsten” Sicherheitseinstellungen nicht einbindet. Aber fuer einen Affiliate ist es bestimmt eine tolle Sache.

    Danke

  8. Torben schrieb am 30. März 2012 um 18:52:

    Dear Felix, I played around with this for a while and changed it a bit: It turns out using an IMG tag for the items works on both .com and .de. Does using an IFrame have any advantages?

    Here is the link to a demo page: http://news.ycombinator.com/item?id=3776843

  9. Klaus schrieb am 3. April 2012 um 23:33:

    Wer sich mal richtigen Betrug auf dem Büchermarkt angucken will, sollte mal den Namen des dieses Focus Redakteurs eingeben! “matthias matting”
    von 65 Bewertungen hat er 60 nachweislich gefälscht! Amazon hat hinzugefügt das bei jeder Rezension nun steht ob das Produkt gekauft worden ist oder nicht.
    Guckt es euch an, eine Frechheit!

Kommentieren