30 April 2009 | 3,252 views

Amazon Disputes Hacker Claims of Ranking Manipulation

Check For Vulnerabilities with Acunetix

A while back it was all over the blogs and Twitter that Amazon had somehow demoted Gay and Lesbian themed books to keep them from showing up in searches.

There was outrage from all the civil rights folks especially in the LBGT camp (rightfully so if it was true).

After that the rumour started the manipulation was carried about by hackers misusing an XSS flaw in the reporting mechanism.

Amazon.com is disputing an account that a hacker was to blame for an error that caused thousands of books to lose their sales ranks over the weekend. According to Amazon.com Director of Corporate Communications Patty Smith, the situation was due to a cataloging error. Smith disputed a supposed confession posted on a LiveJournal discussion group April 13, in which a hacker identified as “Weev” claimed he had exploited an Amazon.com feature for reporting inappropriate content.

“The thing about the adult reporting function of Amazon was that it was vulnerable to something called “Cross-site request forgery,'” he wrote. “This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in.

“I know some people who run some extremely high traffic (Alexa top 1000) Websites. I show them my idea, and we all agree that it is pretty funny,” he continued. “They put an invisible iframe in their Websites to refer people to the complaint URLs, which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.”

It’s a pretty neat trick, just embed an iframe into some heavily trafficked websites and every time they get visited your cross site request is sent and a vote/report is made.

It leveraged on the ability to report inappropriate content, I’m guessing from what happened that the Amazon system has some automated threshold for tagging stuff that’s reporting x number of times.

However, contrary to statements in Weev’s blog entry and some reports, the situation was not limited to gay-themed books.

“It has been misreported that the issue was limited to Gay & Lesbian themed titles—in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica,” Smith said in a statement. “This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon’s main product search.”

The situation has drawn the ire of some gay and lesbian rights groups concerned that gay-themed books were being censored. In addition, some authors have claimed in press reports that they received e-mails from Amazon.com stating that their books had been placed in an unranked Adult category and excluded from some searches.

At least they’ve acknowledged there is some kind of problem, they understand the scope and are working on fixing it.

I hope they are better than the average corporate and actually fix the root cause too, not just fix the fall-out and patch up the flaw.

Who knows, this may develop further.

Source: eWeek



Recent in General Hacking:
- Kali Linux – The Most Advanced Penetration Testing Linux Distribution
- Microsoft Says You SHOULD Re-use Passwords Across Sites
- Dradis v2.9 – Information Sharing For Security Assessments

Related Posts:
- Source Code Hosting Service Code Spaces Deleted By Hacker
- SHA-1 Password Hashes Cracked Using Amazon EC2 GPU Cloud
- Viber Vulnerable To Man In The Middle Attack (MITM)

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,139,409 views
- Hack Tools/Exploits - 583,510 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 415,364 views

Advertise on Darknet

3 Responses to “Amazon Disputes Hacker Claims of Ranking Manipulation”

  1. anony 30 April 2009 at 5:06 pm Permalink

    They’re not the only ones who have been hit by this type of attack. Check out http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/ to see how Time got pwned.

  2. bob 1 May 2009 at 5:29 pm Permalink

    Good for the hacker. Screw homos.

  3. Anonymous 1 May 2009 at 8:01 pm Permalink

    @anony – Nice to see I’m not the only anon reading this board!

    @bob, I think some of them would like that. Well volunteered, sir!