#1: If you're an author who also runs a blog, you can make Amazon "recommend" your book to your visitors.
#2: The Amazon referral tag is included in the iframe. If I recall right, once you visit an Amazon page with such a tag, that gets set for your entire session and the referrer gets credit for everything you buy. This means if I embed this my website, and you visit, I will get a cut of all your Amazon purchases. Automatically.
(As stated below this will probably get you banned before you can receive payment, sadly)
Amazon is insanely customer-focused and works hard to ensure everything is fair and above board.
This is a cross-site request forgery (CSRF). To prevent the attack the server needs to disregard the request. It doesn’t matter whether or not the browser disregards the response to that request. By the time the browser receives the response it is too late, the server will already have processed the request. Therefore using X-Frame-Options won’t help in this case.
The correct solution (I believe) is for the server to check for Referer or Origin headers and use those headers to determine whether or not the request is valid.
The decision about which requests to accept may be a bit fuzzy in this case because Amazon probably wants to accept most requests that originate from external sites, but perhaps not all of them (as your attack shows).
Strict CSRF prevention techniques are probably not desirable due to the fact that the recommendation system needs to be seamless to the end user. It would be inappropriate (for example) to ask the user for their password!
Some references for the interested reader:
The Amazon recommendations module is definitely buggy, but it works for their purpose and as long as they can cope with "marketplace manipulators" they're okay. Oh they can't.. well you know they are one of the largest Marketplaces, they will find a solution quickly..
http://news.ycombinator.com/item?id=2475854 Oh, they can't even fix that? Well what needs to be said, needs to be said.
Thanks for your find middus!
The only problem would be researching the funny products would probably skew my results as well (unless I was careful and viewed incognito mode)
either Amazon fixed this already or it never worked in Chrome? or something else.
Seeing their recommendations for some merchandise that I also saw on a different website earlier does not affect me in any way, in fact I don't even look at the recommendations. I type in what I am looking for and hit enter (boom, old recommendations are gone).
So break every iframe on the net to fix Amazon's lazy approach to recommendations?