Tuesday, August 16, 2011

Amazon.com Privacy Hole and Exploit Reveals Customer's Home Addresses, Protect Yourself

UPDATE: It appears Amazon has patched the privacy hole.


Is Amazon.com revealing your home address to the public???

The answer is: Maybe.

Theoretically, your Amazon wish list can be used for friends and relatives to send you gifts. But, you could also actually be revealing your home address to strangers and would-be stalkers.

Most people know about Amazon's wish lists, they are a unique feature on Amazon.com that enables you to have an inventory of items that you might want to purchase later. Or, some bloggers and other folks might post their wish list for the sake of impression management; Or, maybe, they might share their wish list in the hope that some people might send them some free swag or gifts.

We recently discovered, though, that unscrupulous individuals might be able to discover your home address via Amazon wish lists even though on the Amazon's Wish List settings it states:

"This address is confidential and will not be seen by anyone purchasing a gift for you."

However, this is not true at all.

In a glaring privacy hole, if you have entered a shipping address for your wish list, and someone, (a stalker or whoever) wants to find your home address. All they have to do is buy you something off of your wishlist. Then, they can go to their Amazon account, click Download Order Reports:

Then, run the report and a CSV report. And, Voila! The would be stalker now has your home address.

The fix for the privacy hole: If you have not done so already, and until Amazon fixes this privacy exploit, it is recommended that you take the following steps:

1. Login to your Amazon.com account.

2. Click the link for Gifts and Wishlists at the top of the page, right above the search box.

3. If you want to see if you are vulnerable to this privacy exploit, click "See what they see"

If you see "Ship to: No Address Entered", then your privacy is safe.

4. If you do not see this, click the back button in your browser. Then, click "Manage This List":

Then, click, Edit Settings:

5. Next, just go doe to the Ship to Address and select None and click save.

Well, that should do the trick. Your privacy is safe again.

We've tested this as a proof of concept and it's pretty simply to do... if you have a public Wish List and a Ship To Address for your Wish List, despite what Amazon says, anyone can find your home address. If you've ever bought something off of someone's Wish List and had it sent to them, you can verify this privacy exploit simply by logging in to Amazon and downloading your order history.

I'll update this blog as further developments warrant. Please help spread the word and warn others!!!!!!