
Show HN: Get a list of your Amazon purchases and see what you can sell them for - ChristianKletzl
https://www.shelfflip.com
======
martingordon
When you sign up, your Amazon email and password are sent to server using GET
and so are visible in the URL. While the request is done over HTTPS (and
traffic snoopers can't see it), it is very likely that there are a ton of
Amazon credentials lying around unencrypted in a log somewhere on their
server.

For some reason, the "Norton Secured" badge makes me less likely to trust the
site and looking at the inline, not very well written Javascript gives me even
less confident that the guys behind this site have the technical chops to keep
my data secure.

~~~
jggonz
I agree. The use of the Norton Secured badge made me quickly leave the site.

A possible solution:

There's a "Login with Amazon" service that may be what the developer needs to
be using: [http://login.amazon.com/](http://login.amazon.com/)

~~~
ChristianKletzl
A/B testing showed that the Norton security badge is perceived positively.
Does anyone have a different experience?

~~~
seanlinehan
I can't speak broadly, only from my personal reaction. I also left the site
after seeing the Norton logo (and before reading the comments here), because
it seemed completely misplaced. I associate Norton with cleaning my computer
of badware, not of whether or not some just-launched service is treating my
data securely.

Because it seemed out of place, it felt like it was an obvious tactic to
bootstrap trust where there wasn't any. A better icon (for me) would have been
a badge from your SSL provider, or even just some well designed lock icon.

~~~
ChristianKletzl
Very interesting point. The Norton batch is our SSL Batch (Symantec bought
them or vice versa).

It seems like they need to do a better job of education users about that. I
don't think they have a pure "Symantec SSL" batch anymore.

------
bearbin
This seems like a cool idea, but I don't feel comfortable giving out my Amazon
credentials with no guarantee of how they are used.

~~~
ChristianKletzl
Is there anything we could do to make you (and many more with the same
sentiment) more comfortable? We are thinking of writing a blog post of what
happens in the background would that help? Any other ideas?

~~~
mileswu
Just an off-the-top-of-my-head idea: Could you give people a bookmarklet or an
extension that they can run when they are on their order history page that
exports all the Amazon product IDs?

~~~
jaredsohn
I was going to write something similar to this. One issue, though, is that it
doesn't necessarily track new purchases.

To do that as well, it needs to be an extension and it should also monitor
whenever you buy something. If there is a concern that purchases might happen
when on another computer, you could allow the user to enter their password
into the extension so that the extension can monitor things for you in the
background. While users don't have a guarantee that the extension is using the
password securely, at least it is possible for the source code to be
inspected.

------
schrodinger
Honestly, this is unethical.

You should not be collecting peoples' usernames and passwords, being a
software engineer aware of the consequences, regardless of whether users are
willing to give them up.

There are so many things that can go wrong, even if you've got the best of
intentions.

------
dewey
Looks nice, but it just feels a bit weird to enter your amazon password with
linked credit cards and bank accounts on another site. I'm aware that there's
probably no better way of accessing that purchase history data but it's just
something people are preaching for years shouldn't be done.

~~~
ChristianKletzl
Agreed. However, even with your credentials, we wouldn't be able to access
your credit card number (Amazon hides it). Additionally, if we would want to
order anything in your name, but our address, we would have to reconfirm the
credit card number, which we don't have.

~~~
falcolas
You could, however, spin up or down EC2 instances associated with that
account. You could easily destroy a business with this information, or
bankrupt a person (well, Amazon is usually pretty good about forgiving
accidental charges, but imagine explaining to them how someone got your
credentials).

------
silentbob46
After giving this a try, I got an email from Amazon saying they've reset my
password because I "may have been subject to a 'phishing' scam".

~~~
ChristianKletzl
I am really sorry to hear that. We've experienced that once or twice before.
This happens when the phone number associated with the account doesn't match
the one you entered. Unfortunately, Amazon sometimes asks for an old phone
number, as long as that number has at one point been associated with your
account. ShelfFlip definitely doesn't do anything scammy.

~~~
JustSomeNobody
I don't think you are, but if you were doing something scammy, would you
_really_ admit to it?

~~~
ChristianKletzl
haha I know... I just wanted to highlight that

------
billsinc
What about going the "TripIt" route and let people forward their email
receipts? You could parse and let people populate their accounts that way. I
think you can even request old receipts for ones you've deleted.

------
JadoJodo
For what it's worth, I did this and it prompted Amazon to reset my password
due to suspected phishing attempts.

------
izzydata
Unfortunately I agree with everyone else and I was immediately wary when it
asked me for my amazon credentials. There must be a better way to get this
information.

Also these prices make no sense for when I search items directly. How can a
flawless Nexus 7 2013 be worth only $70? Where can I buy them all?

~~~
slig
> How can a flawless Nexus 7 2013 be worth only $70? Where can I buy them all?

It's worth $70 to them. They are buying to resell, and they can pay a lower
price for the convenience of getting the item from your house and paying you
instantly.

One can always sell it on eBay/craigslist and get a bigger price, but you'll
have to deal with buyers, scammers, shipping, etc. It boils down to how much
your time is worth and/or how fast you need the money.

~~~
StephanKletzl
Pricing is definitely one of our challenges. We are currently paying prices of
around 80% of what we think is a fair amazon market value, while giving the
user a hassle-free sales experience. (Our prices are not manually entered but
automatically calculated [e.g. based on price on Amazon, prices on other
recommerce sites, ...]) This (almost) always leads to prices that are higher
than Gazelle's or NextWorth's while also offering the convenience of getting
paid within 24 hours. (in SF)

------
azurelogic
I had a bad feeling as soon as I saw the "Let's find out button". When my
fears were confirmed, I immediately closed the tab.

You HAVE to find a better way to do this. People are becoming increasingly
aware of the risks of this kind of behavior on malicious sites, and potential
users will walk away out of paranoia.

It's a great idea, if you can find another way.

------
cnaut
I don't feel comfortable giving my amazon login credentials like a lot of
people here. I think Unioncy ([https://unioncy.com/](https://unioncy.com/))
has an interesting solution to this. They parse your emails for amazon
receipts to figure out your amazon purchases.

------
thekevan
Not only would I echo the "give a website my Amazon creds" argument, but what
if I want to sell things I haven't bought from Amazon and/or (like me) you
don't really buy things on Amazon?

I have lots of things I would like to sell and declutter, but none of them are
from Amazon.

~~~
ChristianKletzl
You can also sell products that you haven't bought on Amazon - if we show a
price, then we are buying it (you can search for books / electronics here:
www.shelfFlip.com/search.php).

------
SethKinast
I can't believe anyone would put their Amazon password into a third-party
site. I clicked on the link, started through the login funnel, realized what I
was about to do, and stopped.

When I got the "Are you sure?" message, I started thinking that the site was
specifically crafted to show how easy it is to get people to give passwords to
a "reputable-looking" third party.

I expected to get some sort of congratulatory message after saying no, like
"You're smart enough to not give us your password!" When I didn't get that, I
came back to the HN comments, expecting to see an explanation from OP about
this proof of concept.

Then I see it's supposed to be a real site. Well then.

------
Practicality
The simple login prompt for a different site is terrifying. Even if you can be
trusted today, are you sure you won't hire an employee tomorrow who will sell
all those passwords for fun and profit?

~~~
elyrly
odd they would release it on hacker news with this flaw.

------
ChristianKletzl
\---UPDATE---

@everyone: Want us to email you as soon as we have a password-free way to
import your purchases? (for example through csv import)

Shoot me an email to christian@shelfflip.com (subject: "shelfflip
passwordfree")

~~~
schrodinger
You should really do the right thing and takes this down until then.

~~~
StephanKletzl
We offered a password-free option but it was too complicated (and thus, the
users preferred the current option). We'll likely add the other option in the
future (but only as an addition to the current option).

~~~
schrodinger
You should be prepared for Amazon to block requests from your servers. (And I
think this would be the right thing for them to do)

------
meraku
Asking me to enter my Amazon username and password makes this a complete non-
starter. Might be the best idea in the world, but I'm not going to risk
handing over my credentials for something as sensitive as my Amazon account to
make a few extra bucks on some old stuff. There's just not enough risk-reward
there for me (though with all due respect and in all honesty, it's unlikely
there would ever be enough reason for me to hand over my credentials to some
random startup)

------
donall
I'm curious about the algorithm. Is there a ceiling for book prices? I seemed
to get very similar results for multiple different types of books, including
being offered $3.21 for one that sells for
$100:[http://www.amazon.com/gp/aw/d/0575066601?pc_redir=1405401886...](http://www.amazon.com/gp/aw/d/0575066601?pc_redir=1405401886&robot_redir=1)

~~~
ChristianKletzl
There is no ceiling in place (I need to look into why different books show
similar results). For the mentioned book, there's a difference between for how
much it is offered and for how much it is bought (if someone wants $100, it
doesn't mean that anyone is buying it for that price)

Scanning 44 other book-buying sites, only 3 are buying that book and the price
is between $0.12 and $3.97

~~~
donall
Makes sense. I didn't realize you had multiple sources, but I'm glad you do!

------
balor123
Maybe get the purchase history another way? Use the new Gmail API to search
for the Amazon emails. Could easily extend to other stores as well.

~~~
ChristianKletzl
Great idea. We have that actually implemented, but are currently not
displaying it. Unfortunately people are even less likely to give a website
access to their emails, since this often means giving access to pretty much
everything (through "I forgot my password" emails)

~~~
MichaelGG
Amazon has order reports, do they not? Why not just allow importing of that?

------
WWKong
I saw a form asking for my Amazon password and noped out of there. I really
want to try the service, but how do we solve for this trust issue?

------
xur17
Great idea! I'm guessing you're checking the resale price on Amazon, and
giving a price based on that?

I got frustrated with the process of listing / selling items on Amazon (I
imagine a lot of it could be automated), and looked around for a service like
this (and then added it to my 'side-project' idea list).

I'll give it a shot next time I get rid of stuff.

------
saddestcatever
I'm curious to see where the pricing structure is coming from.

For example: Apple MacBook Pro ME864LL/A 13.3-Inch Laptop with Retina Display
(NEWEST VERSION) $382.32

It's a compelling business idea, and I understand there's a need to generate a
profit, yet the math seems a little off.

~~~
ChristianKletzl
I looked into this and the price is now $472. (HN traffic is stress-testing
our pricing engine) For this item, we relied on Amazon's trade-in price, which
we want to get away from very soon. (because the prices are too low, imho)

------
nigo
Although this is a useful service, the Amazon Security team may block your
site. Even if your site is trustworthy, this increases Amazon's liability for
phishing attacks on other phishing sites.

------
Kluny
A site that is not Amazon asked for my Amazon username and password. Uh, nope
the fuck out of here. That account has access to my credit card information
and home address.

------
BrandonY
> What is your Amazon.com password?

If this were Reddit, this is the point where I would attach a hilarious GIF of
some animal running away with the text "NOPE" all over it.

------
fursund
This is a really good idea! I'd say Amazon isn't the only place I buy stuff,
so adding places like Target, IKEA, etc. would be great!

------
meritt
Is this obtaining pricing via the Product Advertising API or is it doing via
more traditional scraping (e.g. website or mobile app)?

------
sami_b
At first I thought this was a prank to see if I would easily give up my amazon
credentials. Fool me once...actually not this time.

------
dgurson
Thank you for taking the hassle out of reselling my items. I think this is a
great idea!

------
vermooten
yeah right, I'm totally going to give you my credentials. You from Nigeria by
any chance?

------
cm2012
Awesome business model and setup.

~~~
StephanKletzl
Thanks for your comment, I am glad you like it. (PS: No, the parent comment
was not a self-promotion by us - I swear)

