Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon One-Click Chrome Extension Snoops On SSL Traffic

Posted by Soulskill on from the you're-doing-it-wrong dept.

An anonymous reader writes "It turns out Amazon has its own sketchy method of snooping on all your browser traffic — even SSL traffic — through their one-click extension for Chrome. As designed, the extension reports every URL you visit, including HTTPS ones, to Amazon. It uses XSS to provide some of its functionality. It also reports contents of some website visits to Alexa. The Amazon extension has also been exploited to allow an attacker to gain access to SSL traffic on browsers that have it installed."

25 of 95 comments (clear)

  1. color me surprised by noh8rz8 · · Score: 4, Insightful

    well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

    --
    You want to upvote/downvote? Go back to Reddit! Here we mod up/mod down.
    1. Re:color me surprised by CanHasDIY · · Score: 4, Insightful

      well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

      Before too long, it's going to be easier to list the groups who don't have access to your data...

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:color me surprised by Anonymous Coward · · Score: 5, Funny

      Here is the updated list:

      1. You

    3. Re:color me surprised by Anonymous Coward · · Score: 4, Informative

      Your comment made me have a second look at how effective Ghostery and/or Disconnect are with Safari. The answer is that they are completely useless. Even though they correctly identify tracking scripts and image beacons, the browser just goes ahead and requests them from the origin server anyway. Which renders them useless. Who cares if the browser doesn't execute the script anymore? Simply retrieving it is used to identify you in the same manner images are.

    4. Re:color me surprised by Omestes · · Score: 4, Insightful

      at the very least Apple isn't monetizing my web surfing,

      Apple was also on that NSA slide, along with Google and Microsoft. I wouldn't trust them either.

      There are no good guys anymore. Accept it, and act accordingly.

      --
      A patriot must always be ready to defend his country against his government. -edward abbey
  2. uhh why does it have a browser extension? by gl4ss · · Score: 4, Interesting

    someone using it explain, please? what does one click buying need a browser extension for?

    --
    world was created 5 seconds before this post as it is.
    1. Re:uhh why does it have a browser extension? by Anonymous Coward · · Score: 4, Insightful

      QUIET, CITIZEN!

      Do not question the Corporation. Do not question progress. Do not question prosperity.

      What are you, a Socialist?

    2. Re:uhh why does it have a browser extension? by The+MAZZTer · · Score: 5, Interesting

      Here it is. Looks like it is a popup which displays various promos and has quick links.

    3. Re:uhh why does it have a browser extension? by gl4ss · · Score: 4, Insightful

      ooh.. so it's like a modern browser bar extension. no wonder it snoops.

      --
      world was created 5 seconds before this post as it is.
    4. Re:uhh why does it have a browser extension? by tlhIngan · · Score: 4, Informative

      Well, let's say you love to shop Amazon (and admit it, you do).

      Basically this extension sees what you're trying to buy and sees if it can find it on Amazon cheaper and then popup a message saying such.

      Perhaps you're shopping Newegg and find some product you want. The Amazon thingy pops up and can tell you if Amazon has it cheaper so go shop there. Or if you're wanting to buy something and never clicked the checkout, it can pop up showing you that it's on sale.

      It's like that Amazon app for your smartphone - you scan the barcode, and tap Buy and Amazon ships it to you, all while you're browsing in the store. Except instead of just B&M stores, Amazon now does it for online stores as well.

    5. Re:uhh why does it have a browser extension? by Urza9814 · · Score: 2

      Great. So I can save $3 on the products to pay an extra $30 in shipping to get three items each from a different seller, arriving a week later than promised, all either missing important components (like the proprietary power cable that's supposed to be included) or just not working. Yeah, sounds like a real advantage there....

  3. Common Sense Advice by Anonymous Coward · · Score: 5, Insightful

    "through their one-click extension for Chrome"

    Avoid Google.

    Avoid Google services.

    Avoid Google products.

    All of them.

    Forever.

    1. Re:Common Sense Advice by maxwell+demon · · Score: 5, Informative

      Indeed, NoScript even has a surrogate script for Google Analytics.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  4. intellectual property - security in the workplace by Anonymous Coward · · Score: 2, Funny

    My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

  5. Re:surprise by s1d3track3D · · Score: 4, Informative

    Update: One day after the publication, Amazon did not stop tracking, but fixed the vulnerability - the config links are now served over HTTPS. Once again, full disclosure helped the common folks' security.

  6. Re:surprise by dolmen.fr · · Score: 4, Informative

    This is exactly the same as Facebook, Google, and other social network do with their buttons. And this is in no way different from tracking by ad networks.
    Just use Ghostery.

  7. Terms and conditions by WaffleMonster · · Score: 4, Informative

    "The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. "

    "The Alexa functionality in the Amazon Browser Apps collects and stores information about the web pages you view. In some cases, that information may be personally identifiable, but Alexa does not attempt to analyze web usage data to determine the identity of any user. "

    I find it exceptionally sick and depressing a toolbar which advertises itself to give user quick access to amazon feels a need to go one step further taking advantage of the same customer to spy on or facilitiate the spying on all of their activity. Is the amazon toolbar really not self-serving enough?

    Added *.amazon.com to my DNS block list and now I feel slightly better.

  8. Re:intellectual property - security in the workpla by Svartormr · · Score: 3, Insightful

    My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

    I hope they're not expecting it to protect their IP from Google.

  9. Re:surprise by PopeRatzo · · Score: 4, Interesting

    Every company you interact with is recording and selling everything that can get their hands on.

    Do you remember when companies made their profits by selling you products that you wanted, instead of just using their retail operations as a front end to upskirt your personal data and sell that to...whomever?

    Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

    Used to be, when a company sold products, their customers were the people who bought those products. Today, when a company sells products, their real customers are oily characters standing out back, waiting to buy copies of your credit cards. The products they sell, whether stuff on Amazon or Android games, or bandwidth are just a front for their actual, much sleazier, business.

    --
    You are welcome on my lawn.
  10. not that bad by dshk · · Score: 2

    Amazon does a favor with their Alexa service for the whole internet. That is the only third party global site statistics tool which provides information for free. At least I do not know any other.

    Of course they should fix the vulnerability. The real issue is that the current authorization systems only give half of the necessary information, they state what information the app access, but not what it does with those information, even though that could really make a difference. Therefore people become accustomed to give horrific permissions to any app.

  11. Re:surprise by HornyBastard · · Score: 5, Insightful

    Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

    Wrong.
    It is a sleazy motel with cameras in every room, and the profits come from selling videos of you having sex, showering, and going to the toilet.

    --
    Death has been proven to be 99% fatal in lab rats.
  12. Re:surprise by icebike · · Score: 4, Interesting

    At this point is anyone even shocked by this?

    Well I was shocked when I heard that Amazon had a browser extension. I often shop Amazon, but never felt the need to install the extension. It serves no purpose.

    But don't be so sure that Amazon is going to get away with it. If this is true, it could cost them millions.
    They are not a common carrier, and have no safe harbor.

    --
    Sig Battery depleted. Reverting to safe mode.
  13. Re:surprise by Nerdfest · · Score: 4, Insightful

    For many, privacy has a value just like money does. Maybe not you. but many.

  14. Re:surprise by Urza9814 · · Score: 3, Insightful

    Well no shit. But I'm losing privacy with either vulnerability; but only one can drain my bank account. Therefore, the one that also drains my bank account is CLEARLY worse.

  15. I haven't trusted Amazon for years. by Trax3001BBS · · Score: 2

    I've watched the last few years as more and more of my web traffic was being routed to Amazon.com, for reasons unknown.
    The more sites I visited the more links to Amazon I found (Netstat, or TCPview from systernals). I don't do any business with Amazon
    as I have to pay taxes (Washington State resident), everything comes from NewEgg.com.

    I've been blocking Amazon links (data collectors?) for all those years as well, but it's an uphill battle as more servers (addresses) are added all the time,
    they've become very persistent. I think you'll find Amazon doing much worse than just reading HTTPS pages, but that's just a personal opinion.