Amazon One-Click Chrome Extension Snoops On SSL Traffic

An anonymous reader writes "It turns out Amazon has its own sketchy method of snooping on all your browser traffic — even SSL traffic — through their one-click extension for Chrome. As designed, the extension reports every URL you visit, including HTTPS ones, to Amazon. It uses XSS to provide some of its functionality. It also reports contents of some website visits to Alexa. The Amazon extension has also been exploited to allow an attacker to gain access to SSL traffic on browsers that have it installed."

color me surprised

[noh8rz8]

well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

Re:color me surprised

[CanHasDIY]

well, why the hell not I say? goog already captures your every move in chrome, so amazon may as well. not to mention NSA and China. I'll stick with Safari - at the very least Apple isn't monetizing my web surfing, so they don't have a per se motive for snooping around.

Before too long, it's going to be easier to list the groups who don't have access to your data...

Re:color me surprised

[Anonymous Coward]

Here is the updated list:

1. You

Re:color me surprised

[Anonymous Coward]

Your comment made me have a second look at how effective Ghostery and/or Disconnect are with Safari. The answer is that they are completely useless. Even though they correctly identify tracking scripts and image beacons, the browser just goes ahead and requests them from the origin server anyway. Which renders them useless. Who cares if the browser doesn't execute the script anymore? Simply retrieving it is used to identify you in the same manner images are.

Re:color me surprised

[Omestes]

at the very least Apple isn't monetizing my web surfing,

Apple was also on that NSA slide, along with Google and Microsoft. I wouldn't trust them either.

There are no good guys anymore. Accept it, and act accordingly.

Re:

[DarkOx]

I agree but sadly. Society is just going to work oh so well when we have to treat everyone we meet as probable hostile.

Re:

[Oceanplexian]

What's fascinating is that Apple was the last to go onboard according to the slide. Granted, I don't trust them but I wonder if Jobs was involved and in any way resisting that program.

We always like to think of Apple as the bad guys, but clearly they could've sold out much earlier. Apple also has a good history of security (FileVault), promoting good security practices, and not giving in to law enforcement (iMessage).

Re:

[ahabswhale]

goog already captures your every move in chrome

Care to back that statement up?

surprise

[Anonymous Coward]

At this point is anyone even shocked by this? Let somebody in the door and they are going to peek in the closets if they can. Every company you interact with is recording and selling everything that can get their hands on.

Of course nothing will come of this. Amazon is a big player, they can get away with it.

Re:surprise

[s1d3track3D]

Update: One day after the publication, Amazon did not stop tracking, but fixed the vulnerability - the config links are now served over HTTPS. Once again, full disclosure helped the common folks' security.

Re:surprise

[dolmen.fr]

This is exactly the same as Facebook, Google, and other social network do with their buttons. And this is in no way different from tracking by ad networks.
Just use Ghostery [ghostery.com].

Re:

[Synerg1y]

This is true, now you can add Amazon to that list.

Re:

[jcwayne]

If only there was a button for that.

Re:

[Urza9814]

And how exactly can a hacker drain my bank account using a Facebook 'like' button?

Re:surprise

[Nerdfest]

For many, privacy has a value just like money does. Maybe not you. but many.

Re:surprise

[Urza9814]

Well no shit. But I'm losing privacy with either vulnerability; but only one can drain my bank account. Therefore, the one that also drains my bank account is CLEARLY worse.

Re:

[Nerdfest]

Your bank account is probably insured. Most likely your privacy is not.

Re:

[Urza9814]

You are not getting this are you?

BOTH AFFECT PRIVACY. They have the same effect on privacy. It's not a question of how much you value privacy, because privacy is ENTIRELY IRRELEVANT to this comparison! Because it affects both equally. It's the same on both sides of the equation, so you can subtract it from both. Privacy + money > privacy. If privacy is 10 and money is 100, that statement is true. If privacy is 1000000000000 and money is 0.000001, that statement IS STILL TRUE.

To go back to the post I was

Re:surprise

[PopeRatzo]

Every company you interact with is recording and selling everything that can get their hands on.

Do you remember when companies made their profits by selling you products that you wanted, instead of just using their retail operations as a front end to upskirt your personal data and sell that to...whomever?

Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

Used to be, when a company sold products, their customers were the people who bought those products. Today, when a company sells products, their real customers are oily characters standing out back, waiting to buy copies of your credit cards. The products they sell, whether stuff on Amazon or Android games, or bandwidth are just a front for their actual, much sleazier, business.

Re:surprise

[HornyBastard]

Our economy has become the equivalent of a luxury hotel that makes its real profits by selling copies of your credit card swipes to hackers.

Wrong.
It is a sleazy motel with cameras in every room, and the profits come from selling videos of you having sex, showering, and going to the toilet.

Re:

[digitig]

This is slashdot. They make their money by threatening people with videos of us showering and going to the toilet. They'd threaten people with videos of us having sex, too, if slashdotters had sex.

Re:

[maxwell demon]

Well, they will have videos of Slashdotters having sex ... with their hands.

Re:

[HornyBastard]

Never underestimate the depravity of the human race. There are people who would pay to see it.

Re:

[certain death]

Wait...I don't remember any /.ers taking showers!

Re:

[certain death]

"upskirt your personal data" I almost spit ice tea on my poor old laptop on that one!! You win the internet award today!

Re:surprise

[icebike]

At this point is anyone even shocked by this?

Well I was shocked when I heard that Amazon had a browser extension. I often shop Amazon, but never felt the need to install the extension. It serves no purpose.

But don't be so sure that Amazon is going to get away with it. If this is true, it could cost them millions.
They are not a common carrier, and have no safe harbor.

Browser extensions

[0123456]

And this is why browser extensions are a bad idea.

uhh why does it have a browser extension?

[gl4ss]

someone using it explain, please? what does one click buying need a browser extension for?

Re:uhh why does it have a browser extension?

[Anonymous Coward]

QUIET, CITIZEN!

Do not question the Corporation. Do not question progress. Do not question prosperity.

What are you, a Socialist?

Re:uhh why does it have a browser extension?

[The MAZZTer]

Here it is. [google.com] Looks like it is a popup which displays various promos and has quick links.

Re:uhh why does it have a browser extension?

[gl4ss]

ooh.. so it's like a modern browser bar extension. no wonder it snoops.

Re:uhh why does it have a browser extension?

[tlhIngan]

Well, let's say you love to shop Amazon (and admit it, you do).

Basically this extension sees what you're trying to buy and sees if it can find it on Amazon cheaper and then popup a message saying such.

Perhaps you're shopping Newegg and find some product you want. The Amazon thingy pops up and can tell you if Amazon has it cheaper so go shop there. Or if you're wanting to buy something and never clicked the checkout, it can pop up showing you that it's on sale.

It's like that Amazon app for your smartphone - you scan the barcode, and tap Buy and Amazon ships it to you, all while you're browsing in the store. Except instead of just B&M stores, Amazon now does it for online stores as well.

Re:

[Urza9814]

Great. So I can save $3 on the products to pay an extra $30 in shipping to get three items each from a different seller, arriving a week later than promised, all either missing important components (like the proprietary power cable that's supposed to be included) or just not working. Yeah, sounds like a real advantage there....

Re:

[Omestes]

I'm not the largest fan of Amazon, but I haven't really run into this.

First, I have Prime, and generally avoid 3rd party sellers, not handled by Amazon themselves. Therefore, no shipping, or $4-5 for next day. Generally, if they are fulfilled by Amazon they come when they say, give or take a day (I mean that literally, things often come overnight, instead of in 2 days). Amazon also has a pretty good return policy, or at least I haven't had problems.

As for 3rd party sellers, they are a complete crapshoot,

Re:

[Omestes]

You helped killed local retail, you.

As did we all.

To my credit I shopped for hardware locally (mostly mom and pop shops, may they rest in piece) until all that existed was Fry's (a cesspool), and BestBuy. I bought books at local stores, until Border's died, leaving the gloried toy-store that is Barnes and Noble. I still try to buy all my used books at local stores, though that is getting harder, since one local chain has killed many of the smaller stores, and obviously Amazon helped.

That last bit is particularly sad, since there was a huge,

Re:

[Urza9814]

Meh. Prime has always seemed a colossal waste of money to me. Then again, I don't but much online...and the "5-7 day" shipping offered by Newegg usually arrives in two (order Tuesday at 9pm and I'll sometimes have it by Thursday afternoon) so expedited shipping seems a waste too. Might be good for Amazon though; even the non-marketplace stuff usually takes around a week...but I order from Amazon about once or twice a year. Newegg maybe three or four.

But if you have a way to hide marketplace results I'd be v

Re:

[Omestes]

Meh. Prime has always seemed a colossal waste of money to me.

It became worth it when most of our local bookstores died, and computer stores, and... It probably isn't the best for everyone, though. Part of its utility is that I share my Amazon account with my Girlfriend and mom.

But if you have a way to hide marketplace results I'd be very interested

Checking the show only Super Saver or Prime button works for items over a certain price, since those are generally fulfilled by Amazon, even if sold by a third party. If Amazon fulfills it, you get to deal with their service, and their returns, which is generally better than most marketplace

Common Sense Advice

[Anonymous Coward]

"through their one-click extension for Chrome"

Avoid Google.

Avoid Google services.

Avoid Google products.

All of them.

Forever.

Re:

[womby68]

I'm with you... Avoid Google!!! Google is the most invasive and dangerous corporation in the world today!!!

Re:

[Anonymous Coward]

Has anyone tried to block all Google's domains? And Amazon's. And Facebook's? And a couple of more?
Like, defining them as 127.0.0.1 in hosts or using a proxy-DNS or something...
I know that a lot of sites use Google Analytics (including Slashdot). Does something break (I obviously don't care if Google, Facebook, etc don't work).

I'm going to try right now actually. July 12 is going to be my new deny-day.

Re:

[EvilIdler]

Occasionally something as simple as download links may stop working if you block Google Analytics, because the people who made the website are too stupid to simply parse weblogs for downloads. But other than that nothing of value is lost. Stock up on AdBlock, Ghostery and other goodies. Throw in Web of Trust for good measure.

Re:

[Synerg1y]

Pretty sure NoScript blocks it. Analytics is JS based which is what NoScript is for.

Re:Common Sense Advice

[maxwell demon]

Indeed, NoScript even has a surrogate script for Google Analytics. [hackademix.net]

Re:

[Anonymous Coward]

That is very incomplete advise. Microsoft has been implicated in adding *several* back-doors for the NSA. Even if Google is as evil as you think, Microsoft appears to be even more evil. Apparently Amazon is also evil. Facebook was implicated too. As were the major phone carriers in the US.

If you value your privacy, you should avoid any major corporation in any country. And, *any* corporation in the U.S.

Re:

[Anonymous Coward]

You do realize that this is being done by Amazon's software, not Google's, right?

Re:

[Nerdfest]

Hey, they ain't payin' to bash Amazon.

Re:

[phorm]

Ummm, you do realize that Amazon and Google are different companies, right?

I do wonder why this functionality isn't in extensions for other browsers (maybe it is), but other than possibly a bad permissions model for extensions I don't think we can blame G for this one.

Re:

[Anonymous Coward]

Someone else said it and got modded to hell.

It's NOT GOOGLE. IT'S AMAZON. One of them starts with an "A" and the other starts with a "G". No point shooting "GOOGLE" for "AMAZON'S" cockup, unless you're a blind hater, just looking for any excuse.

Now about the morons that modded the parent post up....

HTTPS-specific extensions

[TWX]

This makes me wonder if there'll be a general code review of browser extensions like HTTPS Everywhere and HTTPS Finder and the like. I hope that they aren't compromised.

Re:

[Anonymous Coward]

this, i see these privacy extensions and i know what they are supposed to do but how the hell do i know that the extension itself isnt spying me

Re:

[symbolset]

You should assume if you are using a computer, tablet or phone that many people are spying on everything you do and a great many more are trying to. They record everything that happens - including many details you don't understand, forever. Starting back in the 1980's at least. Maybe they should put a clear warning on the box instead of hiding it away in the various terms and eula.

Re:

[lgw]

Well, HTTPS Everywhere ships with TOR, so either it's safe, or the FBI is keeping it a secret for something really fun.

Re:

[lgw]

The evidence for TOR being safe is that, thus far, 0 people have been arrested by being de-anonymized. So, like I said, either it really is safe, or the NSA/FBI is keeping their snooping ability under wraps for something that will really make headlines. I wouldn't bet either way.

I'll bet my horse on it...

[Anonymous Coward]

that Amazon will issue an apology saying the inadvertently sent the data to their servers. And Alexa's.

Re:

[amicusNYCL]

that Amazon will issue an apology saying the inadvertently sent the data to their servers

I don't know how many horses you have left to wager, but it would be pretty stupid of Amazon to say that when the entire purpose of the extension is to send Amazon information about what you're looking at so that they can show their price. It's the specific purpose of the extension.

intellectual property - security in the workplace

[Anonymous Coward]

My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

Re:intellectual property - security in the workpla

[Svartormr]

My workplace just installed a chrome browser frame that does something like this to protect their intellectual property here.

I hope they're not expecting it to protect their IP from Google.

So what did he search for

[L. J. Beauregard]

such that rense.com would be the first search result?

Terms and conditions

[WaffleMonster]

"The Amazon Browser Apps may also collect information about the websites you view, but that information is not associated with your Amazon account or identified with you. "

"The Alexa functionality in the Amazon Browser Apps collects and stores information about the web pages you view. In some cases, that information may be personally identifiable, but Alexa does not attempt to analyze web usage data to determine the identity of any user. "

I find it exceptionally sick and depressing a toolbar which advertises itself to give user quick access to amazon feels a need to go one step further taking advantage of the same customer to spy on or facilitiate the spying on all of their activity. Is the amazon toolbar really not self-serving enough?

Added *.amazon.com to my DNS block list and now I feel slightly better.

not that bad

[dshk]

Amazon does a favor with their Alexa service for the whole internet. That is the only third party global site statistics tool which provides information for free. At least I do not know any other.

Of course they should fix the vulnerability. The real issue is that the current authorization systems only give half of the necessary information, they state what information the app access, but not what it does with those information, even though that could really make a difference. Therefore people become accustomed to give horrific permissions to any app.

File a criminal complaint

[Animats]

This looks like it might be a violation of the Computer Fraud and Abuse Act [cornell.edu], the part about "exceeds authorized access". File a criminal complaint with the FBI.

Re:

[gnasher719]

This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

You installed that plugin, it said beforehand what it's doing, so it's authorized.

Re:

[Trax3001BBS]

This looks like it might be a violation of the Computer Fraud and Abuse Act, the part about "exceeds authorized access". File a criminal complaint with the FBI.

You installed that plugin, it said beforehand what it's doing, so it's authorized.

Yep, wanna read something nobody has a problem with; read the ToS and Privacy Policy for www.Rovio.com (Angry Birds game being just one of their products)
Anybody who's ever installed "Angry Birds" has agreed to not only allow data collection but it being sent to www.flurry.com for one, as well as some data being
"sent overseas" whatever that means. By far one of the most "we collect your data and can do anything we want with it" Privacy Policy I've read to date.

This is something you have to allow, being a mo

Re:

[Animats]

You installed that plugin, it said beforehand what it's doing, so it's authorized.

Not in this case. That's the issue here. Amazon's description of what the plugin was allowed to do is inconsistent with what it actually does. That's where fraud comes in.

I haven't trusted Amazon for years.

[Trax3001BBS]

I've watched the last few years as more and more of my web traffic was being routed to Amazon.com, for reasons unknown.
The more sites I visited the more links to Amazon I found (Netstat, or TCPview from systernals). I don't do any business with Amazon
as I have to pay taxes (Washington State resident), everything comes from NewEgg.com.

I've been blocking Amazon links (data collectors?) for all those years as well, but it's an uphill battle as more servers (addresses) are added all the time,
they've become very persistent. I think you'll find Amazon doing much worse than just reading HTTPS pages, but that's just a personal opinion.

Re:

[Trax3001BBS]

All this unknown traffic is because more sites use Amazon's Cloud to host their content.

Good point.

I put this together to show what I block Amazon wise, yet have very few problems surfing sites.

These are just ones with "amazon" in the string. Lots are without the amazon string but too much work to sort out.
an example would be 207.171.184.25 which hops to Smtp-fw-9101.amazon.com according to http://www.robtex.com/ [robtex.com]

Amazon.com
aan.amazon.com
aax-us-east.amazon-adsystem.com
amazon.adsonar.com
amazon.adsonar.com
amazon1.msn.de
amazon2.msn.de
amazon-giftcard.info
assoc-amazon.com
astore.amazon.com
client-log.a