Amazon One-Click Chrome Extension Snoops On SSL Traffic

An anonymous reader writes "It turns out Amazon has its own sketchy method of snooping on all your browser traffic — even SSL traffic — through their one-click extension for Chrome. As designed, the extension reports every URL you visit, including HTTPS ones, to Amazon. It uses XSS to provide some of its functionality. It also reports contents of some website visits to Alexa. The Amazon extension has also been exploited to allow an attacker to gain access to SSL traffic on browsers that have it installed."

color me surprised

[noh8rz8]

well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

Re:color me surprised

[CanHasDIY]

well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

Before too long, it's going to be easier to list the groups who don't have access to your data...

Re:color me surprised

Here is the updated list:

1. You

Re:color me surprised

Your comment made me have a second look at how effective Ghostery and/or Disconnect are with Safari. The answer is that they are completely useless. Even though they correctly identify tracking scripts and image beacons, the browser just goes ahead and requests them from the origin server anyway. Which renders them useless. Who cares if the browser doesn't execute the script anymore? Simply retrieving it is used to identify you in the same manner images are.

Re:color me surprised

[Omestes]

at the very least Apple isn't monetizing my web surfing,

Apple was also on that NSA slide, along with Google and Microsoft. I wouldn't trust them either.

There are no good guys anymore. Accept it, and act accordingly.

Re:color me surprised

[DarkOx]

I agree but sadly. Society is just going to work oh so well when we have to treat everyone we meet as probable hostile.

Re:color me surprised

[ahabswhale]

goog already captures your every move in chrome

Care to back that statement up?

Re:color me surprised

[Oceanplexian]

What's fascinating is that Apple was the last to go onboard according to the slide. Granted, I don't trust them but I wonder if Jobs was involved and in any way resisting that program.

We always like to think of Apple as the bad guys, but clearly they could've sold out much earlier. Apple also has a good history of security (FileVault), promoting good security practices, and not giving in to law enforcement (iMessage).

surprise

At this point is anyone even shocked by this? Let somebody in the door and they are going to peek in the closets if they can. Every company you interact with is recording and selling everything that can get their hands on.

Of course nothing will come of this. Amazon is a big player, they can get away with it.

Re:surprise

[s1d3track3D]

Update: One day after the publication, Amazon did not stop tracking, but fixed the vulnerability - the config links are now served over HTTPS. Once again, full disclosure helped the common folks' security.

Re:surprise

[dolmen.fr]

This is exactly the same as Facebook, Google, and other social network do with their buttons. And this is in no way different from tracking by ad networks.
Just use Ghostery.

Re:surprise

[PopeRatzo]

Every company you interact with is recording and selling everything that can get their hands on.

Do you remember when companies made their profits by selling you products that you wanted, instead of just using their retail operations as a front end to upskirt your personal data and sell that to...whomever?

Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

Used to be, when a company sold products, their customers were the people who bought those products. Today, when a company sells products, their real customers are oily characters standing out back, waiting to buy copies of your credit cards. The products they sell, whether stuff on Amazon or Android games, or bandwidth are just a front for their actual, much sleazier, business.

Re:surprise

[Synerg1y]

This is true, now you can add Amazon to that list.

Re:surprise

[HornyBastard]

Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

Wrong.
It is a sleazy motel with cameras in every room, and the profits come from selling videos of you having sex, showering, and going to the toilet.

Re:surprise

[digitig]

This is slashdot. They make their money by threatening people with videos of us showering and going to the toilet. They'd threaten people with videos of us having sex, too, if slashdotters had sex.

Re:surprise

[maxwell+demon]

Well, they will have videos of Slashdotters having sex ... with their hands.

Re:surprise

[HornyBastard]

Never underestimate the depravity of the human race. There are people who would pay to see it.

Re:surprise

[certain+death]

"upskirt your personal data" I almost spit ice tea on my poor old laptop on that one!! You win the internet award today!

Re:surprise

[jcwayne]

If only there was a button for that.

Re:surprise

[certain+death]

Wait...I don't remember any /.ers taking showers!

Re:surprise

[icebike]

At this point is anyone even shocked by this?

Well I was shocked when I heard that Amazon had a browser extension. I often shop Amazon, but never felt the need to install the extension. It serves no purpose.

But don't be so sure that Amazon is going to get away with it. If this is true, it could cost them millions.
They are not a common carrier, and have no safe harbor.

Re:surprise

[Urza9814]

And how exactly can a hacker drain my bank account using a Facebook 'like' button?

Re:surprise

[Nerdfest]

For many, privacy has a value just like money does. Maybe not you. but many.

Re:surprise

[Urza9814]

Well no shit. But I'm losing privacy with either vulnerability; but only one can drain my bank account. Therefore, the one that also drains my bank account is CLEARLY worse.

Re:surprise

[Nerdfest]

Your bank account is probably insured. Most likely your privacy is not.

Re:surprise

[Urza9814]

You are not getting this are you?

BOTH AFFECT PRIVACY. They have the same effect on privacy. It's not a question of how much you value privacy, because privacy is ENTIRELY IRRELEVANT to this comparison! Because it affects both equally. It's the same on both sides of the equation, so you can subtract it from both. Privacy + money > privacy. If privacy is 10 and money is 100, that statement is true. If privacy is 1000000000000 and money is 0.000001, that statement IS STILL TRUE.

To go back to the post I was replying to: This isn't the exact same thing as normal ad tracking, because this gives an attacker more power. We can debate all you want about which aspects of that power is more valuable, and I'd probably agree with you, but that's a completely different topic. More is by definition not "exactly the same". 1000000000000.000001 != 1000000000000.

Browser extensions

[0123456]

And this is why browser extensions are a bad idea.

uhh why does it have a browser extension?

[gl4ss]

someone using it explain, please? what does one click buying need a browser extension for?

Re:uhh why does it have a browser extension?

QUIET, CITIZEN!

Do not question the Corporation. Do not question progress. Do not question prosperity.

What are you, a Socialist?

Re:uhh why does it have a browser extension?

[The+MAZZTer]

Here it is. Looks like it is a popup which displays various promos and has quick links.

Re:uhh why does it have a browser extension?

[gl4ss]

ooh.. so it's like a modern browser bar extension. no wonder it snoops.

Re:uhh why does it have a browser extension?

[tlhIngan]

Well, let's say you love to shop Amazon (and admit it, you do).

Basically this extension sees what you're trying to buy and sees if it can find it on Amazon cheaper and then popup a message saying such.

Perhaps you're shopping Newegg and find some product you want. The Amazon thingy pops up and can tell you if Amazon has it cheaper so go shop there. Or if you're wanting to buy something and never clicked the checkout, it can pop up showing you that it's on sale.

It's like that Amazon app for your smartphone - you scan the barcode, and tap Buy and Amazon ships it to you, all while you're browsing in the store. Except instead of just B&M stores, Amazon now does it for online stores as well.

Re:uhh why does it have a browser extension?

[Urza9814]

Great. So I can save $3 on the products to pay an extra $30 in shipping to get three items each from a different seller, arriving a week later than promised, all either missing important components (like the proprietary power cable that's supposed to be included) or just not working. Yeah, sounds like a real advantage there....

Re:uhh why does it have a browser extension?

[Omestes]

I'm not the largest fan of Amazon, but I haven't really run into this.

First, I have Prime, and generally avoid 3rd party sellers, not handled by Amazon themselves. Therefore, no shipping, or $4-5 for next day. Generally, if they are fulfilled by Amazon they come when they say, give or take a day (I mean that literally, things often come overnight, instead of in 2 days). Amazon also has a pretty good return policy, or at least I haven't had problems.

As for 3rd party sellers, they are a complete crapshoot, as they are everywhere else. You never know their shipping times, or how honest they are. I've had some pretty nasty experiences with them.

None of my complaints have to do with Amazon's service. I don't like how they killed local retail, or how they are the Walmart of online marketing (they set the bar low, so its hard to compete). I don't like their Kindle idea, any of it. I don't like their business practices... But they do have an awesome service, which I hate using but feel compelled to use since it is far better than anyone else out there.

I just built a new computer, and was sourcing everything. Newegg beat Amazon on most prices but once shipping was included ($5.99 for 2-4 weeks, or $0 for two days) Amazon won, so Amazon got my money, yet again. Granted Prime is money, it still pays itself off quickly (it did with one purchase, in my case).

Re:uhh why does it have a browser extension?

[Omestes]

You helped killed local retail, you.

As did we all.

To my credit I shopped for hardware locally (mostly mom and pop shops, may they rest in piece) until all that existed was Fry's (a cesspool), and BestBuy. I bought books at local stores, until Border's died, leaving the gloried toy-store that is Barnes and Noble. I still try to buy all my used books at local stores, though that is getting harder, since one local chain has killed many of the smaller stores, and obviously Amazon helped.

That last bit is particularly sad, since there was a huge, ugly, grimy, used bookstore I went to for 20 years. The woman specialized in vintage science fiction, she had thousands of copies of 50's-60's science fiction all crammed, unorganized in boxes... It was beautiful, and a great way to kill an afternoon. Its gone now, along with the rest of them...

I try my hardest to buy local, but it is becoming increasingly impossible. There is only one store in my city of 3 and a quarter million people that sells motherboards and processors. They have dubious service, sleazy commission seekers, sometimes they outright lie, they have the worst return policy known to man, and have burnt me more times than I can remember (I took back a single motherboard 5 times, last time I relied on them). So what do I do? Put up with them? Buy from Amazon, which is bad. Buy from Newegg, which isn't the most stellar company either?

I've given up, to be honest. The local markets for specialty items is so depleted that it often takes days of searching to find something these days, when you could have it in 5 seconds of searching the internet, for half the cost.

Re:uhh why does it have a browser extension?

[Urza9814]

Meh. Prime has always seemed a colossal waste of money to me. Then again, I don't but much online...and the "5-7 day" shipping offered by Newegg usually arrives in two (order Tuesday at 9pm and I'll sometimes have it by Thursday afternoon) so expedited shipping seems a waste too. Might be good for Amazon though; even the non-marketplace stuff usually takes around a week...but I order from Amazon about once or twice a year. Newegg maybe three or four.

But if you have a way to hide marketplace results I'd be very interested...every time I shop at Amazon I scour their site for such an option but can never seem to find one. And it seems that 95% of the results are always marketplace...with how long it takes to filter those out, you're better off just going elsewhere since Amazon's prices -- at best -- are no more than $5 lower than anywhere else.

Re:uhh why does it have a browser extension?

[Omestes]

Meh. Prime has always seemed a colossal waste of money to me.

It became worth it when most of our local bookstores died, and computer stores, and... It probably isn't the best for everyone, though. Part of its utility is that I share my Amazon account with my Girlfriend and mom.

But if you have a way to hide marketplace results I'd be very interested

Checking the show only Super Saver or Prime button works for items over a certain price, since those are generally fulfilled by Amazon, even if sold by a third party. If Amazon fulfills it, you get to deal with their service, and their returns, which is generally better than most marketplace sellers. Even when I get a good return with a marketplace seller, its generally; "if you give us more stars, we'll give you a refund", which is a bit odd, since they messed up in the first place.

are no more than $5 lower than anywhere else.

This is barely true anymore, now that they charge tax. Their prices, and Newegg's were pretty much identical. Though some of the items I was ordering were through third parties on Newegg, and not Amazon. This was a bit strange to me, since I've thrown plenty of cash at Newegg, and they used to be generally cheaper than everyone else, at least with components.

Common Sense Advice

"through their one-click extension for Chrome"

Avoid Google.

Avoid Google services.

Avoid Google products.

All of them.

Forever.

Re:Common Sense Advice

[womby68]

I'm with you... Avoid Google!!! Google is the most invasive and dangerous corporation in the world today!!!

Re:Common Sense Advice

Has anyone tried to block all Google's domains? And Amazon's. And Facebook's? And a couple of more?
Like, defining them as 127.0.0.1 in hosts or using a proxy-DNS or something...
I know that a lot of sites use Google Analytics (including Slashdot). Does something break (I obviously don't care if Google, Facebook, etc don't work).

I'm going to try right now actually. July 12 is going to be my new deny-day.

Re:Common Sense Advice

That is very incomplete advise. Microsoft has been implicated in adding *several* back-doors for the NSA. Even if Google is as evil as you think, Microsoft appears to be even more evil. Apparently Amazon is also evil. Facebook was implicated too. As were the major phone carriers in the US.

If you value your privacy, you should avoid any major corporation in any country. And, *any* corporation in the U.S.

Re:Common Sense Advice

[EvilIdler]

Occasionally something as simple as download links may stop working if you block Google Analytics, because the people who made the website are too stupid to simply parse weblogs for downloads. But other than that nothing of value is lost. Stock up on AdBlock, Ghostery and other goodies. Throw in Web of Trust for good measure.

Re:Common Sense Advice

[Synerg1y]

Pretty sure NoScript blocks it. Analytics is JS based which is what NoScript is for.

Re:Common Sense Advice

You do realize that this is being done by Amazon's software, not Google's, right?

Re:Common Sense Advice

[maxwell+demon]

Indeed, NoScript even has a surrogate script for Google Analytics.

Re:Common Sense Advice

[Nerdfest]

Hey, they ain't payin' to bash Amazon.

Re:Common Sense Advice

[phorm]

Ummm, you do realize that Amazon and Google are different companies, right?

I do wonder why this functionality isn't in extensions for other browsers (maybe it is), but other than possibly a bad permissions model for extensions I don't think we can blame G for this one.

Re:Common Sense Advice

Someone else said it and got modded to hell.

It's NOT GOOGLE. IT'S AMAZON. One of them starts with an "A" and the other starts with a "G". No point shooting "GOOGLE" for "AMAZON'S" cockup, unless you're a blind hater, just looking for any excuse.

Now about the morons that modded the parent post up....

HTTPS-specific extensions

[TWX]

This makes me wonder if there'll be a general code review of browser extensions like HTTPS Everywhere and HTTPS Finder and the like. I hope that they aren't compromised.

Re:HTTPS-specific extensions

this, i see these privacy extensions and i know what they are supposed to do but how the hell do i know that the extension itself isnt spying me

Re:HTTPS-specific extensions

[lgw]

Well, HTTPS Everywhere ships with TOR, so either it's safe, or the FBI is keeping it a secret for something really fun.

I'll bet my horse on it...

that Amazon will issue an apology saying the inadvertently sent the data to their servers. And Alexa's.

Re:I'll bet my horse on it...

[amicusNYCL]

that Amazon will issue an apology saying the inadvertently sent the data to their servers

I don't know how many horses you have left to wager, but it would be pretty stupid of Amazon to say that when the entire purpose of the extension is to send Amazon information about what you're looking at so that they can show their price. It's the specific purpose of the extension.

intellectual property - security in the workplace

My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

So what did he search for

[L.+J.+Beauregard]

such that rense.com would be the first search result?

Terms and conditions

[WaffleMonster]

"The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. "

"The Alexa functionality in the Amazon Browser Apps collects and stores information about the web pages you view. In some cases, that information may be personally identifiable, but Alexa does not attempt to analyze web usage data to determine the identity of any user. "

I find it exceptionally sick and depressing a toolbar which advertises itself to give user quick access to amazon feels a need to go one step further taking advantage of the same customer to spy on or facilitiate the spying on all of their activity. Is the amazon toolbar really not self-serving enough?

Added *.amazon.com to my DNS block list and now I feel slightly better.

Re:intellectual property - security in the workpla

[Svartormr]

My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

I hope they're not expecting it to protect their IP from Google.

not that bad

[dshk]

Amazon does a favor with their Alexa service for the whole internet. That is the only third party global site statistics tool which provides information for free. At least I do not know any other.

Of course they should fix the vulnerability. The real issue is that the current authorization systems only give half of the necessary information, they state what information the app access, but not what it does with those information, even though that could really make a difference. Therefore people become accustomed to give horrific permissions to any app.

File a criminal complaint

[Animats]

This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

Re:File a criminal complaint

[gnasher719]

This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

You installed that plugin, it said beforehand what it's doing, so it's authorized.

Re:File a criminal complaint

[Trax3001BBS]

This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

You installed that plugin, it said beforehand what it's doing, so it's authorized.

Yep, wanna read something nobody has a problem with; read the ToS and Privacy Policy for www.Rovio.com (Angry Birds game being just one of their products)
Anybody who's ever installed "Angry Birds" has agreed to not only allow data collection but it being sent to www.flurry.com for one, as well as some data being
"sent overseas" whatever that means. By far one of the most "we collect your data and can do anything we want with it" Privacy Policy I've read to date.

This is something you have to allow, being a mobile device most aren't Rooted (jail broken / owned) and unable to block it.

.

Re:File a criminal complaint

[Animats]

You installed that plugin, it said beforehand what it's doing, so it's authorized.

Not in this case. That's the issue here. Amazon's description of what the plugin was allowed to do is inconsistent with what it actually does. That's where fraud comes in.

Re:TOR IS NOT SAFE

[lgw]

The evidence for TOR being safe is that, thus far, 0 people have been arrested by being de-anonymized. So, like I said, either it really is safe, or the NSA/FBI is keeping their snooping ability under wraps for something that will really make headlines. I wouldn't bet either way.

I haven't trusted Amazon for years.

[Trax3001BBS]

I've watched the last few years as more and more of my web traffic was being routed to Amazon.com, for reasons unknown.
The more sites I visited the more links to Amazon I found (Netstat, or TCPview from systernals). I don't do any business with Amazon
as I have to pay taxes (Washington State resident), everything comes from NewEgg.com.

I've been blocking Amazon links (data collectors?) for all those years as well, but it's an uphill battle as more servers (addresses) are added all the time,
they've become very persistent. I think you'll find Amazon doing much worse than just reading HTTPS pages, but that's just a personal opinion.

Re:I haven't trusted Amazon for years.

[Trax3001BBS]

All this unknown traffic is because more sites use Amazon's Cloud to host their content.

Good point.

I put this together to show what I block Amazon wise, yet have very few problems surfing sites.

These are just ones with "amazon" in the string. Lots are without the amazon string but too much work to sort out.
an example would be 207.171.184.25 which hops to Smtp-fw-9101.amazon.com according to http://www.robtex.com/

Amazon.com
aan.amazon.com
aax-us-east.amazon-adsystem.com
amazon.adsonar.com
amazon.adsonar.com
amazon1.msn.de
amazon2.msn.de
amazon-giftcard.info
assoc-amazon.com
astore.amazon.com
client-log.amazon.com
cls.assoc-amazon.com
dra.amazon-adsystem.com
fls-na.amazon.com
free-amazon-coupon.com
rcm.amazon.com
rcm-de.amazon.de
rcm-images.amazon.com
rcm-it.amazon.it
rcm-uk.amazon.co.uk
s.amazon-adsystem.com
s1k-amazon.com
s2e-amazon.com
secure-amazon.net
sis.amazon.com
ssl-payment-amazon.com
uedata.amazon.com
users-logins-amazon.com
ws.amazon.com
amazon-giftcard.info
assoc-amazon.com
xml-eu.amazon.com

I've got a lot of links with amazonaws.com blocked, amazonaws.com appears to pertain to Amazon's cloud service.

s3-1-w.amazonaws.com
10bet.s3.amazonaws.com
a6522.s3-website-us-east-1.amazonaws.com
admarvel.s3.amazonaws.com
ads.avitu.com.s3.amazonaws.com
adtago.s3.amazonaws.com
adzerk.s3.amazonaws.com
adzerk-www.s3.amazonaws.com
alexa-sitestats.s3.amazonaws.com
apture.s3.amazonaws.com
assets-hellobar-com.s3.amazonaws.com
biowebb-data.s3.amazonaws.com
blamads-assets.s3.amazonaws.com
bo-videos.s3.amazonaws.com
bro1.s3.amazonaws.com
btrpreroll.s3.amazonaws.com
cadreon.s3.amazonaws.com
cdnpuaf.s3.amazonaws.com
cdx-eu.s3.amazonaws.com
cdx-us.s3.amazonaws.com
click.s3.amazonaws.com
cloudfront-labs.amazonaws.com
clutchmag.s3.amazonaws.com
e23121.s3-website-sa-east-1.amazonaws.com
ecommstats.s3.amazonaws.com
entrecard.s3.amazonaws.com

It's much more involved for me as the above just pertains to Amazon. I block all links that I shouldn't be linked to.
FaceBook and Google are two others that are a B!tc# blocking new links to, but block them I do and still use Google
as a search engine, email other Google services with no problems. Facebook I've no use for.