Forgot your password?
typodupeerror
Chrome Privacy Security

Amazon One-Click Chrome Extension Snoops On SSL Traffic 95

Posted by Soulskill
from the you're-doing-it-wrong dept.
An anonymous reader writes "It turns out Amazon has its own sketchy method of snooping on all your browser traffic — even SSL traffic — through their one-click extension for Chrome. As designed, the extension reports every URL you visit, including HTTPS ones, to Amazon. It uses XSS to provide some of its functionality. It also reports contents of some website visits to Alexa. The Amazon extension has also been exploited to allow an attacker to gain access to SSL traffic on browsers that have it installed."
This discussion has been archived. No new comments can be posted.

Amazon One-Click Chrome Extension Snoops On SSL Traffic

Comments Filter:
  • color me surprised (Score:4, Insightful)

    by noh8rz8 (2716593) on Friday July 12, 2013 @05:16PM (#44265107)

    well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

    • by CanHasDIY (1672858) on Friday July 12, 2013 @05:23PM (#44265163) Homepage Journal

      well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

      Before too long, it's going to be easier to list the groups who don't have access to your data...

      • by Anonymous Coward on Friday July 12, 2013 @05:31PM (#44265229)

        Here is the updated list:

        1. You

      • by Anonymous Coward on Friday July 12, 2013 @08:52PM (#44266733)

        Your comment made me have a second look at how effective Ghostery and/or Disconnect are with Safari. The answer is that they are completely useless. Even though they correctly identify tracking scripts and image beacons, the browser just goes ahead and requests them from the origin server anyway. Which renders them useless. Who cares if the browser doesn't execute the script anymore? Simply retrieving it is used to identify you in the same manner images are.

    • by Omestes (471991) <omestes@NOSpaM.gmail.com> on Saturday July 13, 2013 @03:23AM (#44268277) Homepage Journal

      at the very least Apple isn't monetizing my web surfing,

      Apple was also on that NSA slide, along with Google and Microsoft. I wouldn't trust them either.

      There are no good guys anymore. Accept it, and act accordingly.

      • by DarkOx (621550)

        I agree but sadly. Society is just going to work oh so well when we have to treat everyone we meet as probable hostile.

      • What's fascinating is that Apple was the last to go onboard according to the slide. Granted, I don't trust them but I wonder if Jobs was involved and in any way resisting that program.

        We always like to think of Apple as the bad guys, but clearly they could've sold out much earlier. Apple also has a good history of security (FileVault), promoting good security practices, and not giving in to law enforcement (iMessage).
    • goog already captures your every move in chrome

      Care to back that statement up?

  • by Anonymous Coward

    At this point is anyone even shocked by this? Let somebody in the door and they are going to peek in the closets if they can. Every company you interact with is recording and selling everything that can get their hands on.

    Of course nothing will come of this. Amazon is a big player, they can get away with it.

    • Re:surprise (Score:5, Informative)

      by s1d3track3D (1504503) on Friday July 12, 2013 @05:32PM (#44265235)

      Update: One day after the publication, Amazon did not stop tracking, but fixed the vulnerability - the config links are now served over HTTPS. Once again, full disclosure helped the common folks' security.

    • Re:surprise (Score:5, Informative)

      by dolmen.fr (583400) on Friday July 12, 2013 @05:36PM (#44265261) Homepage

      This is exactly the same as Facebook, Google, and other social network do with their buttons. And this is in no way different from tracking by ad networks.
      Just use Ghostery [ghostery.com].

      • by Synerg1y (2169962)

        This is true, now you can add Amazon to that list.

      • by Urza9814 (883915)

        And how exactly can a hacker drain my bank account using a Facebook 'like' button?

        • Re:surprise (Score:5, Insightful)

          by Nerdfest (867930) on Friday July 12, 2013 @09:19PM (#44266869)

          For many, privacy has a value just like money does. Maybe not you. but many.

          • Re:surprise (Score:4, Insightful)

            by Urza9814 (883915) on Friday July 12, 2013 @09:24PM (#44266911)

            Well no shit. But I'm losing privacy with either vulnerability; but only one can drain my bank account. Therefore, the one that also drains my bank account is CLEARLY worse.

            • by Nerdfest (867930)

              Your bank account is probably insured. Most likely your privacy is not.

              • Re: (Score:2, Troll)

                by Urza9814 (883915)

                You are not getting this are you?

                BOTH AFFECT PRIVACY. They have the same effect on privacy. It's not a question of how much you value privacy, because privacy is ENTIRELY IRRELEVANT to this comparison! Because it affects both equally. It's the same on both sides of the equation, so you can subtract it from both. Privacy + money > privacy. If privacy is 10 and money is 100, that statement is true. If privacy is 1000000000000 and money is 0.000001, that statement IS STILL TRUE.

                To go back to the post I was

    • Re:surprise (Score:5, Interesting)

      by PopeRatzo (965947) on Friday July 12, 2013 @06:01PM (#44265429) Homepage Journal

      Every company you interact with is recording and selling everything that can get their hands on.

      Do you remember when companies made their profits by selling you products that you wanted, instead of just using their retail operations as a front end to upskirt your personal data and sell that to...whomever?

      Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

      Used to be, when a company sold products, their customers were the people who bought those products. Today, when a company sells products, their real customers are oily characters standing out back, waiting to buy copies of your credit cards. The products they sell, whether stuff on Amazon or Android games, or bandwidth are just a front for their actual, much sleazier, business.

      • Re:surprise (Score:5, Insightful)

        by HornyBastard (666805) on Friday July 12, 2013 @06:19PM (#44265565)

        Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

        Wrong.
        It is a sleazy motel with cameras in every room, and the profits come from selling videos of you having sex, showering, and going to the toilet.

        • by digitig (1056110)
          This is slashdot. They make their money by threatening people with videos of us showering and going to the toilet. They'd threaten people with videos of us having sex, too, if slashdotters had sex.
      • "upskirt your personal data" I almost spit ice tea on my poor old laptop on that one!! You win the internet award today!
    • Re:surprise (Score:5, Interesting)

      by icebike (68054) on Friday July 12, 2013 @07:08PM (#44266001)

      At this point is anyone even shocked by this?

      Well I was shocked when I heard that Amazon had a browser extension. I often shop Amazon, but never felt the need to install the extension. It serves no purpose.

      But don't be so sure that Amazon is going to get away with it. If this is true, it could cost them millions.
      They are not a common carrier, and have no safe harbor.

  • And this is why browser extensions are a bad idea.

  • by gl4ss (559668) on Friday July 12, 2013 @05:22PM (#44265153) Homepage Journal

    someone using it explain, please? what does one click buying need a browser extension for?

    • by Anonymous Coward on Friday July 12, 2013 @05:28PM (#44265211)

      QUIET, CITIZEN!

      Do not question the Corporation. Do not question progress. Do not question prosperity.

      What are you, a Socialist?

    • by The MAZZTer (911996) <megazzt.gmail@com> on Friday July 12, 2013 @05:29PM (#44265217) Homepage
      Here it is. [google.com] Looks like it is a popup which displays various promos and has quick links.
    • by tlhIngan (30335) <slashdotNO@SPAMworf.net> on Friday July 12, 2013 @05:39PM (#44265279)

      Well, let's say you love to shop Amazon (and admit it, you do).

      Basically this extension sees what you're trying to buy and sees if it can find it on Amazon cheaper and then popup a message saying such.

      Perhaps you're shopping Newegg and find some product you want. The Amazon thingy pops up and can tell you if Amazon has it cheaper so go shop there. Or if you're wanting to buy something and never clicked the checkout, it can pop up showing you that it's on sale.

      It's like that Amazon app for your smartphone - you scan the barcode, and tap Buy and Amazon ships it to you, all while you're browsing in the store. Except instead of just B&M stores, Amazon now does it for online stores as well.

      • by Urza9814 (883915)

        Great. So I can save $3 on the products to pay an extra $30 in shipping to get three items each from a different seller, arriving a week later than promised, all either missing important components (like the proprietary power cable that's supposed to be included) or just not working. Yeah, sounds like a real advantage there....

        • by Omestes (471991)

          I'm not the largest fan of Amazon, but I haven't really run into this.

          First, I have Prime, and generally avoid 3rd party sellers, not handled by Amazon themselves. Therefore, no shipping, or $4-5 for next day. Generally, if they are fulfilled by Amazon they come when they say, give or take a day (I mean that literally, things often come overnight, instead of in 2 days). Amazon also has a pretty good return policy, or at least I haven't had problems.

          As for 3rd party sellers, they are a complete crapshoot,

          • by Urza9814 (883915)

            Meh. Prime has always seemed a colossal waste of money to me. Then again, I don't but much online...and the "5-7 day" shipping offered by Newegg usually arrives in two (order Tuesday at 9pm and I'll sometimes have it by Thursday afternoon) so expedited shipping seems a waste too. Might be good for Amazon though; even the non-marketplace stuff usually takes around a week...but I order from Amazon about once or twice a year. Newegg maybe three or four.

            But if you have a way to hide marketplace results I'd be v

            • by Omestes (471991)

              Meh. Prime has always seemed a colossal waste of money to me.

              It became worth it when most of our local bookstores died, and computer stores, and... It probably isn't the best for everyone, though. Part of its utility is that I share my Amazon account with my Girlfriend and mom.

              But if you have a way to hide marketplace results I'd be very interested

              Checking the show only Super Saver or Prime button works for items over a certain price, since those are generally fulfilled by Amazon, even if sold by a third party. If Amazon fulfills it, you get to deal with their service, and their returns, which is generally better than most marketplace

  • by Anonymous Coward on Friday July 12, 2013 @05:22PM (#44265155)

    "through their one-click extension for Chrome"

    Avoid Google.

    Avoid Google services.

    Avoid Google products.

    All of them.

    Forever.

    • by womby68 (1756988)
      I'm with you... Avoid Google!!! Google is the most invasive and dangerous corporation in the world today!!!
      • by Anonymous Coward

        Has anyone tried to block all Google's domains? And Amazon's. And Facebook's? And a couple of more?
        Like, defining them as 127.0.0.1 in hosts or using a proxy-DNS or something...
        I know that a lot of sites use Google Analytics (including Slashdot). Does something break (I obviously don't care if Google, Facebook, etc don't work).

        I'm going to try right now actually. July 12 is going to be my new deny-day.

    • by Anonymous Coward

      That is very incomplete advise. Microsoft has been implicated in adding *several* back-doors for the NSA. Even if Google is as evil as you think, Microsoft appears to be even more evil. Apparently Amazon is also evil. Facebook was implicated too. As were the major phone carriers in the US.

      If you value your privacy, you should avoid any major corporation in any country. And, *any* corporation in the U.S.

    • by Anonymous Coward

      You do realize that this is being done by Amazon's software, not Google's, right?

    • by phorm (591458)

      Ummm, you do realize that Amazon and Google are different companies, right?

      I do wonder why this functionality isn't in extensions for other browsers (maybe it is), but other than possibly a bad permissions model for extensions I don't think we can blame G for this one.

    • by Anonymous Coward

      Someone else said it and got modded to hell.

      It's NOT GOOGLE. IT'S AMAZON. One of them starts with an "A" and the other starts with a "G". No point shooting "GOOGLE" for "AMAZON'S" cockup, unless you're a blind hater, just looking for any excuse.

      Now about the morons that modded the parent post up....

  • This makes me wonder if there'll be a general code review of browser extensions like HTTPS Everywhere and HTTPS Finder and the like. I hope that they aren't compromised.
    • by Anonymous Coward

      this, i see these privacy extensions and i know what they are supposed to do but how the hell do i know that the extension itself isnt spying me

      • by symbolset (646467) *
        You should assume if you are using a computer, tablet or phone that many people are spying on everything you do and a great many more are trying to. They record everything that happens - including many details you don't understand, forever. Starting back in the 1980's at least. Maybe they should put a clear warning on the box instead of hiding it away in the various terms and eula.
    • by lgw (121541)

      Well, HTTPS Everywhere ships with TOR, so either it's safe, or the FBI is keeping it a secret for something really fun.

  • by Anonymous Coward

    that Amazon will issue an apology saying the inadvertently sent the data to their servers. And Alexa's.

    • that Amazon will issue an apology saying the inadvertently sent the data to their servers

      I don't know how many horses you have left to wager, but it would be pretty stupid of Amazon to say that when the entire purpose of the extension is to send Amazon information about what you're looking at so that they can show their price. It's the specific purpose of the extension.

  • by Anonymous Coward

    My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

  • such that rense.com would be the first search result?

  • Terms and conditions (Score:5, Informative)

    by WaffleMonster (969671) on Friday July 12, 2013 @05:49PM (#44265331)

    "The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. "

    "The Alexa functionality in the Amazon Browser Apps collects and stores information about the web pages you view. In some cases, that information may be personally identifiable, but Alexa does not attempt to analyze web usage data to determine the identity of any user. "

    I find it exceptionally sick and depressing a toolbar which advertises itself to give user quick access to amazon feels a need to go one step further taking advantage of the same customer to spy on or facilitiate the spying on all of their activity. Is the amazon toolbar really not self-serving enough?

    Added *.amazon.com to my DNS block list and now I feel slightly better.

  • by dshk (838175) on Friday July 12, 2013 @06:01PM (#44265435)

    Amazon does a favor with their Alexa service for the whole internet. That is the only third party global site statistics tool which provides information for free. At least I do not know any other.

    Of course they should fix the vulnerability. The real issue is that the current authorization systems only give half of the necessary information, they state what information the app access, but not what it does with those information, even though that could really make a difference. Therefore people become accustomed to give horrific permissions to any app.

  • This looks like it might be a violation of the Computer Fraud and Abuse Act [cornell.edu], the part about "exceeds authorized access". File a criminal complaint with the FBI.

    • This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

      You installed that plugin, it said beforehand what it's doing, so it's authorized.

      • This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

        You installed that plugin, it said beforehand what it's doing, so it's authorized.

        Yep, wanna read something nobody has a problem with; read the ToS and Privacy Policy for www.Rovio.com (Angry Birds game being just one of their products)
        Anybody who's ever installed "Angry Birds" has agreed to not only allow data collection but it being sent to www.flurry.com for one, as well as some data being
        "sent overseas" whatever that means. By far one of the most "we collect your data and can do anything we want with it" Privacy Policy I've read to date.

        This is something you have to allow, being a mo

      • by Animats (122034)

        You installed that plugin, it said beforehand what it's doing, so it's authorized.

        Not in this case. That's the issue here. Amazon's description of what the plugin was allowed to do is inconsistent with what it actually does. That's where fraud comes in.

  • by Trax3001BBS (2368736) on Saturday July 13, 2013 @08:13AM (#44268977) Homepage Journal

    I've watched the last few years as more and more of my web traffic was being routed to Amazon.com, for reasons unknown.
    The more sites I visited the more links to Amazon I found (Netstat, or TCPview from systernals). I don't do any business with Amazon
    as I have to pay taxes (Washington State resident), everything comes from NewEgg.com.

    I've been blocking Amazon links (data collectors?) for all those years as well, but it's an uphill battle as more servers (addresses) are added all the time,
    they've become very persistent. I think you'll find Amazon doing much worse than just reading HTTPS pages, but that's just a personal opinion.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...