Amazon Disputes Hacker Claims of Ranking Manipulation


A while back it was all over the blogs and Twitter that Amazon had somehow demoted Gay and Lesbian themed books to keep them from showing up in searches.

There was outrage from all the civil rights folks especially in the LBGT camp (rightfully so if it was true).

After that the rumour started the manipulation was carried about by hackers misusing an XSS flaw in the reporting mechanism.

Amazon.com is disputing an account that a hacker was to blame for an error that caused thousands of books to lose their sales ranks over the weekend. According to Amazon.com Director of Corporate Communications Patty Smith, the situation was due to a cataloging error. Smith disputed a supposed confession posted on a LiveJournal discussion group April 13, in which a hacker identified as “Weev” claimed he had exploited an Amazon.com feature for reporting inappropriate content.

“The thing about the adult reporting function of Amazon was that it was vulnerable to something called “Cross-site request forgery,'” he wrote. “This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in.

“I know some people who run some extremely high traffic (Alexa top 1000) Websites. I show them my idea, and we all agree that it is pretty funny,” he continued. “They put an invisible iframe in their Websites to refer people to the complaint URLs, which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.”

It’s a pretty neat trick, just embed an iframe into some heavily trafficked websites and every time they get visited your cross site request is sent and a vote/report is made.

It leveraged on the ability to report inappropriate content, I’m guessing from what happened that the Amazon system has some automated threshold for tagging stuff that’s reporting x number of times.

However, contrary to statements in Weev’s blog entry and some reports, the situation was not limited to gay-themed books.

“It has been misreported that the issue was limited to Gay & Lesbian themed titles—in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica,” Smith said in a statement. “This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon’s main product search.”

The situation has drawn the ire of some gay and lesbian rights groups concerned that gay-themed books were being censored. In addition, some authors have claimed in press reports that they received e-mails from Amazon.com stating that their books had been placed in an unranked Adult category and excluded from some searches.

At least they’ve acknowledged there is some kind of problem, they understand the scope and are working on fixing it.

I hope they are better than the average corporate and actually fix the root cause too, not just fix the fall-out and patch up the flaw.

Who knows, this may develop further.

Source: eWeek

Posted in: Hacking News

, , ,


Latest Posts:


tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.


3 Responses to Amazon Disputes Hacker Claims of Ranking Manipulation

  1. anony April 30, 2009 at 5:06 pm #

    They’re not the only ones who have been hit by this type of attack. Check out http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/ to see how Time got pwned.

  2. bob May 1, 2009 at 5:29 pm #

    Good for the hacker. Screw homos.

  3. Anonymous May 1, 2009 at 8:01 pm #

    @anony – Nice to see I’m not the only anon reading this board!

    @bob, I think some of them would like that. Well volunteered, sir!