Amazon One-Click Chrome Extension Snoops On SSL Traffic

← Back to Stories (view on slashdot.org)

Amazon One-Click Chrome Extension Snoops On SSL Traffic

Posted by Soulskill on Friday July 12, 2013 @09:13AM from the you're-doing-it-wrong dept.

An anonymous reader writes "It turns out Amazon has its own sketchy method of snooping on all your browser traffic — even SSL traffic — through their one-click extension for Chrome. As designed, the extension reports every URL you visit, including HTTPS ones, to Amazon. It uses XSS to provide some of its functionality. It also reports contents of some website visits to Alexa. The Amazon extension has also been exploited to allow an attacker to gain access to SSL traffic on browsers that have it installed."

21 of 95 comments (clear)

Min score:

Reason:

Sort:

color me surprised by noh8rz8 · 2013-07-12 09:16 · Score: 4, Insightful

well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

--
You want to upvote/downvote? Go back to Reddit! Here we mod up/mod down.
1. Re:color me surprised by CanHasDIY · 2013-07-12 09:23 · Score: 4, Insightful
  
  well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.
  Before too long, it's going to be easier to list the groups who don't have access to your data...
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
2. Re:color me surprised by Anonymous Coward · 2013-07-12 09:31 · Score: 5, Funny
  
  Here is the updated list:
  1. You
3. Re:color me surprised by Anonymous Coward · 2013-07-12 12:52 · Score: 4, Informative
  
  Your comment made me have a second look at how effective Ghostery and/or Disconnect are with Safari. The answer is that they are completely useless. Even though they correctly identify tracking scripts and image beacons, the browser just goes ahead and requests them from the origin server anyway. Which renders them useless. Who cares if the browser doesn't execute the script anymore? Simply retrieving it is used to identify you in the same manner images are.
4. Re:color me surprised by Omestes · 2013-07-12 19:23 · Score: 4, Insightful
  
  at the very least Apple isn't monetizing my web surfing,
  
  Apple was also on that NSA slide, along with Google and Microsoft. I wouldn't trust them either.
  There are no good guys anymore. Accept it, and act accordingly.
  
  --
  A patriot must always be ready to defend his country against his government. -edward abbey
uhh why does it have a browser extension? by gl4ss · 2013-07-12 09:22 · Score: 4, Interesting

someone using it explain, please? what does one click buying need a browser extension for?

--
world was created 5 seconds before this post as it is.
1. Re:uhh why does it have a browser extension? by Anonymous Coward · 2013-07-12 09:28 · Score: 4, Insightful
  
  QUIET, CITIZEN!
  Do not question the Corporation. Do not question progress. Do not question prosperity.
  What are you, a Socialist?
2. Re:uhh why does it have a browser extension? by The+MAZZTer · 2013-07-12 09:29 · Score: 5, Interesting
  
  Here it is. Looks like it is a popup which displays various promos and has quick links.
3. Re:uhh why does it have a browser extension? by gl4ss · 2013-07-12 09:32 · Score: 4, Insightful
  
  ooh.. so it's like a modern browser bar extension. no wonder it snoops.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:uhh why does it have a browser extension? by tlhIngan · 2013-07-12 09:39 · Score: 4, Informative
  
  Well, let's say you love to shop Amazon (and admit it, you do).
  Basically this extension sees what you're trying to buy and sees if it can find it on Amazon cheaper and then popup a message saying such.
  Perhaps you're shopping Newegg and find some product you want. The Amazon thingy pops up and can tell you if Amazon has it cheaper so go shop there. Or if you're wanting to buy something and never clicked the checkout, it can pop up showing you that it's on sale.
  It's like that Amazon app for your smartphone - you scan the barcode, and tap Buy and Amazon ships it to you, all while you're browsing in the store. Except instead of just B&M stores, Amazon now does it for online stores as well.
Common Sense Advice by Anonymous Coward · 2013-07-12 09:22 · Score: 5, Insightful

"through their one-click extension for Chrome"
Avoid Google.
Avoid Google services.
Avoid Google products.
All of them.
Forever.
1. Re:Common Sense Advice by maxwell+demon · 2013-07-12 10:38 · Score: 5, Informative
  
  Indeed, NoScript even has a surrogate script for Google Analytics.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
Re:surprise by s1d3track3D · 2013-07-12 09:32 · Score: 4, Informative

Update: One day after the publication, Amazon did not stop tracking, but fixed the vulnerability - the config links are now served over HTTPS. Once again, full disclosure helped the common folks' security.
Re:surprise by dolmen.fr · 2013-07-12 09:36 · Score: 4, Informative

This is exactly the same as Facebook, Google, and other social network do with their buttons. And this is in no way different from tracking by ad networks.
Just use Ghostery.
Terms and conditions by WaffleMonster · 2013-07-12 09:49 · Score: 4, Informative

"The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. "
"The Alexa functionality in the Amazon Browser Apps collects and stores information about the web pages you view. In some cases, that information may be personally identifiable, but Alexa does not attempt to analyze web usage data to determine the identity of any user. "
I find it exceptionally sick and depressing a toolbar which advertises itself to give user quick access to amazon feels a need to go one step further taking advantage of the same customer to spy on or facilitiate the spying on all of their activity. Is the amazon toolbar really not self-serving enough?
Added *.amazon.com to my DNS block list and now I feel slightly better.
Re:intellectual property - security in the workpla by Svartormr · 2013-07-12 09:50 · Score: 3, Insightful

My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.
I hope they're not expecting it to protect their IP from Google.
Re:surprise by PopeRatzo · 2013-07-12 10:01 · Score: 4, Interesting

Every company you interact with is recording and selling everything that can get their hands on.
Do you remember when companies made their profits by selling you products that you wanted, instead of just using their retail operations as a front end to upskirt your personal data and sell that to...whomever?
Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.
Used to be, when a company sold products, their customers were the people who bought those products. Today, when a company sells products, their real customers are oily characters standing out back, waiting to buy copies of your credit cards. The products they sell, whether stuff on Amazon or Android games, or bandwidth are just a front for their actual, much sleazier, business.

--
You are welcome on my lawn.
Re:surprise by HornyBastard · 2013-07-12 10:19 · Score: 5, Insightful

Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.
Wrong.
It is a sleazy motel with cameras in every room, and the profits come from selling videos of you having sex, showering, and going to the toilet.

--
Death has been proven to be 99% fatal in lab rats.
Re:surprise by icebike · 2013-07-12 11:08 · Score: 4, Interesting

At this point is anyone even shocked by this?

Well I was shocked when I heard that Amazon had a browser extension. I often shop Amazon, but never felt the need to install the extension. It serves no purpose.
But don't be so sure that Amazon is going to get away with it. If this is true, it could cost them millions.
They are not a common carrier, and have no safe harbor.

--
Sig Battery depleted. Reverting to safe mode.
Re:surprise by Nerdfest · 2013-07-12 13:19 · Score: 4, Insightful

For many, privacy has a value just like money does. Maybe not you. but many.
Re:surprise by Urza9814 · 2013-07-12 13:24 · Score: 3, Insightful

Well no shit. But I'm losing privacy with either vulnerability; but only one can drain my bank account. Therefore, the one that also drains my bank account is CLEARLY worse.