Amazon One-Click Chrome Extension Snoops On SSL Traffic

An anonymous reader writes "It turns out Amazon has its own sketchy method of snooping on all your browser traffic — even SSL traffic — through their one-click extension for Chrome. As designed, the extension reports every URL you visit, including HTTPS ones, to Amazon. It uses XSS to provide some of its functionality. It also reports contents of some website visits to Alexa. The Amazon extension has also been exploited to allow an attacker to gain access to SSL traffic on browsers that have it installed."

Re:surprise

[s1d3track3D]

Update: One day after the publication, Amazon did not stop tracking, but fixed the vulnerability - the config links are now served over HTTPS. Once again, full disclosure helped the common folks' security.

Re:surprise

[dolmen.fr]

This is exactly the same as Facebook, Google, and other social network do with their buttons. And this is in no way different from tracking by ad networks.
Just use Ghostery [ghostery.com].

Re:uhh why does it have a browser extension?

[tlhIngan]

Well, let's say you love to shop Amazon (and admit it, you do).

Basically this extension sees what you're trying to buy and sees if it can find it on Amazon cheaper and then popup a message saying such.

Perhaps you're shopping Newegg and find some product you want. The Amazon thingy pops up and can tell you if Amazon has it cheaper so go shop there. Or if you're wanting to buy something and never clicked the checkout, it can pop up showing you that it's on sale.

It's like that Amazon app for your smartphone - you scan the barcode, and tap Buy and Amazon ships it to you, all while you're browsing in the store. Except instead of just B&M stores, Amazon now does it for online stores as well.

Terms and conditions

[WaffleMonster]

"The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. "

"The Alexa functionality in the Amazon Browser Apps collects and stores information about the web pages you view. In some cases, that information may be personally identifiable, but Alexa does not attempt to analyze web usage data to determine the identity of any user. "

I find it exceptionally sick and depressing a toolbar which advertises itself to give user quick access to amazon feels a need to go one step further taking advantage of the same customer to spy on or facilitiate the spying on all of their activity. Is the amazon toolbar really not self-serving enough?

Added *.amazon.com to my DNS block list and now I feel slightly better.

Re:Common Sense Advice

[maxwell demon]

Indeed, NoScript even has a surrogate script for Google Analytics. [hackademix.net]

Re:color me surprised

[Anonymous Coward]

Your comment made me have a second look at how effective Ghostery and/or Disconnect are with Safari. The answer is that they are completely useless. Even though they correctly identify tracking scripts and image beacons, the browser just goes ahead and requests them from the origin server anyway. Which renders them useless. Who cares if the browser doesn't execute the script anymore? Simply retrieving it is used to identify you in the same manner images are.