I can manipulate your amazon.com recommendations

Mittwoch, 28. März 2012, 16:55 Uhr von Felix

I can put any item of my choice on your personalized amazon.com homepage. Did I hear you say Bollocks!? Well, here is proof:

  1. Open this page.
  2. Visit amazon.com.
  3. Observe Dale Carnegie’s classic How to win friends and influence people appear on your personalized amazon.com homepage (see screenshot below for comparison).
  4. Order it if you are interested, it is a great read (optional step ;-))!

So how does it work? The page contains a hidden iframe that triggers an HTTP GET request to the book’s page on amazon.com. Now amazon thinks you are interested in this article and recommends it and similar ones to you on their homepage. I would like to leave possible malicious applications to your imagination.

How to fix this? If the X-Frame-Options response header is set to SAMEORIGIN, modern browsers will not allow third party websites to include a page. Interestingly, the German amazon website amazon.de does this.

I have informed amazon.com of this issue via Twitter and E-Mail.

Disclosure: all links to amazon.com are referral links.

Update (2012-04-05): amazon.com got back to me and told me that they have added the X-Frame-Options header.