Hacker News new | comments | ask | show | jobs | submit login
I can manipulate your amazon.com recommendations (diskurswelt.de)
160 points by middus on Mar 28, 2012 | hide | past | web | favorite | 30 comments

I can think of two evil uses for this:

#1: If you're an author who also runs a blog, you can make Amazon "recommend" your book to your visitors.

#2: The Amazon referral tag is included in the iframe. If I recall right, once you visit an Amazon page with such a tag, that gets set for your entire session and the referrer gets credit for everything you buy. This means if I embed this my website, and you visit, I will get a cut of all your Amazon purchases. Automatically.

(As stated below this will probably get you banned before you can receive payment, sadly)

Regarding #2 and the affiliate/associates program: Without going into specifics this is generally prevented. For example, pages viewed from iframes include referrer headers and most web browsers will report screen dimensions, etc. You can tell when content was loaded in the background and doesn't match with the subsequent purchase behavior.

Amazon is insanely customer-focused and works hard to ensure everything is fair and above board.

If Amazon pays a percentage to some website I visited that's really invisible to the customer. Amazon's incentive here is their Karen Carpenter thin margins (too soon? too bad, I'm tired of using razors as the cliche thin metaphor).

Besides your sentense not making a lot of sense (i.e. I have no idea what you are talking about), no one knows what a Karen Carpenter is - some kind of woodworking tool? (I suppose I could google it.)

You need to expand your music horizons!

It also means your Amazon affiliate account will get banned in short order, I think. I'm pretty sure they enforce the TOS on this issue. (Obviously I haven't tried my own luck.)

X-Frame-Options (in supported browsers) prevents the result of a request from being rendered in the browser, it doesn't prevent the request itself from being made. So does X-Frame-Options actually prevent this? Is the change to your recommendations made by an AJAX callback when you view the page? I would've assumed it was made by the pageview itself.

I agree that X-Frame-Options isn't the right solution. Here's the comment I posted on the site:


This is a cross-site request forgery (CSRF). To prevent the attack the server needs to disregard the request. It doesn’t matter whether or not the browser disregards the response to that request. By the time the browser receives the response it is too late, the server will already have processed the request. Therefore using X-Frame-Options won’t help in this case.

The correct solution (I believe) is for the server to check for Referer or Origin headers and use those headers to determine whether or not the request is valid.

The decision about which requests to accept may be a bit fuzzy in this case because Amazon probably wants to accept most requests that originate from external sites, but perhaps not all of them (as your attack shows).

Strict CSRF prevention techniques are probably not desirable due to the fact that the recommendation system needs to be seamless to the end user. It would be inappropriate (for example) to ask the user for their password!

Some references for the interested reader:



Perhaps AJAX, but Amazon would probably like to support people without JS, so maybe they log the pageview when the browser requests the product image or something.

They don't. Including a page as an image includes it in my recently viewed items. Don't know about recommendations, as Amazon.co.uk have a kindle letter running.

So, it's going to be a matter of time before some hacker's "Learn to be successful with no effort, pick up chicks, lose weight, and make money in your free time" book rockets to number 1.

Tim Ferriss?

This is such a simple hack that I am shocked it took this long for someone to try it.

You're shocked it took this long for someone to write about it.

Tangent: Thanks for disclosing your Amazon referral link. I don't mind when people use them, but they always seems much more polite with a disclaimer on the page.

That's nothing special actually.

The Amazon recommendations module is definitely buggy, but it works for their purpose and as long as they can cope with "marketplace manipulators" they're okay. Oh they can't.. well you know they are one of the largest Marketplaces, they will find a solution quickly.. http://news.ycombinator.com/item?id=2475854 Oh, they can't even fix that? Well what needs to be said, needs to be said.

Thanks for your find middus!

I don't understand what needs to be fixed from your link. Independent sellers can set their own prices? Oh no.

And in the mean time, all HN readers who visited the page with the iFrame got cookied with an Amazon affiliate cookie of the "Hacker" writing about this!

Clever girl.

After a conversation with a co-worker about how products followed him around on amazon, I had the same thought of providing a series of "funny" recommendations using this method.

The only problem would be researching the funny products would probably skew my results as well (unless I was careful and viewed incognito mode)

1. clicked through as described 2. Carnegie's book not on my list

either Amazon fixed this already or it never worked in Chrome? or something else.

Worked for me on Chrome fine just now.

Same. OSX Chrome.

worked fine for me as well. Chrome on windows 7. Did you by any chance look at anything else on Amazon?

Worked for me, on chromium.

There are so many reasons that looking at an item doesn't mean you're interested in buying it (or, a least not buying it for yourself) that I'm surprised that such minor signals like that still radically alter your recommendations. The system doesn't seem particularly smart.

Hack works on Android Browser.

Why the iframe stuff and not just Javascript to send requests to amazon.com?

I thought about this for a minute, then I thought "who cares". If I go to someone's web site and they set my amazon recommendations to buy their merchandise that they are setting, couldn't they have just showed me the same thing on their site with a link to Amazon? Couldn't they just as easily redirected my browser to the amazon page or tried opening up a popup to go to their produce there? amazon's recommendations are based on what you viewed or searched for last. How often do you go to amazon to find something to buy? I go there to find something I already know that I want - and I then search for it.

Seeing their recommendations for some merchandise that I also saw on a different website earlier does not affect me in any way, in fact I don't even look at the recommendations. I type in what I am looking for and hit enter (boom, old recommendations are gone).

> X-Frame-Options response header is set to SAMEORIGIN

So break every iframe on the net to fix Amazon's lazy approach to recommendations?

This would only break iframes that are loading Amazon pages and Amazon really should be doing this to prevent click-jacking anyways.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact