

Amazon Wish Lists Are Dreadfully Insecure - nutmeg
http://kentbrewster.com/amazon-wish-lists-are-dreadfully-insecure/

======
jrockway
Is the "insecurity" worth the convenience of having a bookmarklet for making
wishes?

I think it is. Someone could add a bunch of porn to my Amazon wishlist. But
they probably won't.

------
bena
So you can engage in some low rent hijinks.

I can also create an Amazon account in your name and add porn to a wish list
and send it to your boss.

Wake me when this thing can purchase items using my Amazon account and send it
to another address.

------
antidaily
Worked for me. Returned my name and added a youtube link to my wishlist.

------
sireat
This is slightly offtopic, but I found out recently that Amazon Wish Lists are
rather useful if you need to track down an owner of an e-mail, who doesnt want
to be found.

Google was drawing blanks, then using Pipl the only hit was Amazon Wish List,
from which I found the full name, after that Google took over.

I suppose the owner of the e-mail address could have used a fake name for the
wish list, but usually people do not.

------
sketerpot
The article lists several lessons learned from this, but really there's only
one huge issue: stop using GET to modify state that the user cares about! Use
POST! It's not hard! Or rather, it's less hard than dealing with the subtle
problems that crop up when you use GET when you should have used POST.

~~~
simonw
While that's good advice generally, it's not enough to protect you from CSRF
attacks like the Amazon wishlist one.

------
kentbrew
Sketerpot has it: the very first thing I always try is a GET to all those Ajax
endpoints that the script is POSTing to.

------
kentbrew
Looks like this has been fixed. I'm going to leave the post up in case people
are curious about what was happening.

