Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

How to cause moral outrage from the entire Internet in ten lines of code. Looks legit—the author claims to have sparked this weekend’s #amazonfail moral outrage (where Amazon where accused of removing Gay and Lesbian books from their best seller rankings) by exploiting a CSRF hole in Amazon’s “report as inappropriate” feature to trigger automatic takedowns. EDIT: His claim is disputed elsewhere (see comments)

Posted 13th April 2009 at 7:48 pm

Tagged , , , ,

10 comments

  1. Here's one attempted debunking:

    http://bryant.livejournal.com/672165.html

    I'm not yet convinced it's a fake though, given Amazon's poor record concerning CSRF in the past.

    Simon Willison - 13th April 2009 20:03 - #

  2. The whole thing smacks of fakery to me. Of course it *could* be true but the story as told is ridiculous.

    Michael Foord - 13th April 2009 21:27 - #

  3. i dont care about amazon because it doesnt concern many from sweden but i have an tip considering swtiny.eu, your new shorting. why not include the coresponding url on each post so people can copy it instead of using other shorting services? if you dont want it indexed by google you could insert it on page with javascript.

    Andreas - 13th April 2009 21:31 - #

  4. I know you can add things to people's wishlists using CSRF on amazon.. i don't see any reason why the rest of their sites would be any more secure.

    rabble - 13th April 2009 21:37 - #

  5. rabble: that's exactly what I thought. I find it much more likely that someone exploited a CSRF hole than that Amazon decided to start censoring books based on sexuality.

    There are aspects to the above story that are pretty suspicious (the Alexa top 100 thing and the bit about paying people to register accounts - why bother if you have an exploit?) but the core suggestion of a widely exploited CSRF hole is completely believable.

    Simon Willison - 13th April 2009 21:44 - #

  6. Your last comment sums up my thoughts pretty well, Simon. The premise seems very plausible, in fact more so than the likelihood of Amazon censoring based on sexuality.

    But, the confession is really hard to believe.

    It's a shame Amazon isn't more open. The only discussions I have had with Amazon staff about security have been off-the-record calls from personal phones or private in-person encounters.

    Chris Shiflett - 13th April 2009 21:57 - #

  7. I think the claim you link to is fraudulent but I believe this is far more likely to be a case of planned, distributed, trolling than any change in Amazon policy. Community moderation tools exploited for a minority agenda. This is worth a read.

    Alex - 13th April 2009 22:12 - #

  8. Looks at least as legit as the Samy attack on myspace. Pretty hilarious and a big wakeup call to the seriousness of xss flaws.

    Looking forward to the retractions from the amazon haters.

    Peter Braden - 13th April 2009 22:37 - #

  9. How about the guy who know how you would carry on an CSRF exploit but didn't do it himself, basically he's just looking for uping his ego.

    I reckon it was done like this but by someone else.

    Doug @takealeft - 13th April 2009 23:16 - #

  10. The final word?

    http://pcworld.com/businesscenter/article/163042/a mazon_says_listing_problem_was_an_error_not_a_hack .html

    Not sure. I read it on the Internet.

    Chris Shiflett - 14th April 2009 02:31 - #

Sign in with OpenID

Auto-HTML: Line breaks are preserved; URLs will be converted in to links.

Manual XHTML: Enter your own, valid XHTML. Allowed tags are a, p, blockquote, ul, ol, li, dl, dt, dd, em, strong, dfn, code, q, samp, kbd, var, cite, abbr, acronym, sub, sup, br, pre

A django site