#amazonfail - We Got Played for LULZ

[furrbear]

As a CS geek with an interest in security...

BanTown via a scripting hack. Impressive even though outrage inducing.

Tom Maher, tmaher, explains it in layman terms.

A few more links:

http://tehdely.livejournal.com/88823.html

http://community.livejournal.com/brutal_honesty/3168992.html

http://pastebin.ca/1390576

The description from the guy claiming responsibility seems totally plausible. I wonder when it will be used against another site with some form of "Report Objectionable Content" system; e.g., YouTube. It apparently was already used against Livejournal (The Great Strikethrough).

Comments

[robearal.livejournal.com]

It doesn't completely explain issues occurring since February.

[tbass.livejournal.com]

As someone who used to "hack" all sorts of stupid websites when I was younger, I can definitely see that as a valid thing that could have happened and was actually one of my first thoughts when I heard about the whole Amazon thing. Although, I'd assumed it was some relgious nut.. not some random bored guy who was pissed about craigslist.

[sultmhoor.livejournal.com]

Yeah, don't automatically believe his posted reasons. Doin' it for the lulz is enough motivation. ;)

[furrbear.livejournal.com]

Sure it does. Development work. One or two books to make sure it all works.

[sultmhoor.livejournal.com]

Embedding in iframes/images for cross site credential exploitation is exactly how to fuck with bear411, too. ;)

[jediknightcub.livejournal.com]

Thanks for the heads-up.

Coincidentally, cuchulainmacog just asked me why people would create viruses. I told him, "To show exploits and weaknesses in operating systems and software. It's not the most admirable thing to spend one's time doing, but it does point out security flaws and exploits and forces the company to immediately deal with whatever issue is currently the focus of the day's news cycle.

[furrbear.livejournal.com]

EXACTLY! iframe/image XSS is a well-known exploit. Ranks up there with SQL-injection.

Though LULZ aside, I don't know that it's such a wise idea to claim credit. It probably would have been difficult for SixApart to claim any monetary damage from The Great Strikethrough, but it's not a stretch to see this thing getting turned over to the FBI. Amazon can claim all those canceled orders as "damage".

[furrbear.livejournal.com]

And Cracker "Street-Cred".

[jediknightcub.livejournal.com]

Yo. Word to your mother.

[joebehrsandiego.livejournal.com]

As a non-CS Geek, can I ask what LULZ specifically means?

EX-LJ-friend danlmarmot has it as a CA personalized car tag.

[furrbear.livejournal.com]

LULZ = plural of LOL

[hwynym.livejournal.com]

As far as I'm concerned, Amazon is still on the hook for all of the perceptions this incident has created.

While this is a plausible explanantion, it's not the explanation they've chosen to give. So, it looks like they targeted GLBT books and then backpedaled when there was an uproar.

If they were hacked, they need to say they were hacked. If they won't come out with a plausible explanation about how a "glitch" would target GLBT titles, then they're not off the hook, as they're choosing a cover-up rather than being open and honest about thing.

Until they do that, I won't buy from them again.