Amazon Disputes Hacker Claims of Ranking Manipulation


A while back it was all over the blogs and Twitter that Amazon had somehow demoted Gay and Lesbian themed books to keep them from showing up in searches.

There was outrage from all the civil rights folks especially in the LBGT camp (rightfully so if it was true).

After that the rumour started the manipulation was carried about by hackers misusing an XSS flaw in the reporting mechanism.

Amazon.com is disputing an account that a hacker was to blame for an error that caused thousands of books to lose their sales ranks over the weekend. According to Amazon.com Director of Corporate Communications Patty Smith, the situation was due to a cataloging error. Smith disputed a supposed confession posted on a LiveJournal discussion group April 13, in which a hacker identified as “Weev” claimed he had exploited an Amazon.com feature for reporting inappropriate content.

“The thing about the adult reporting function of Amazon was that it was vulnerable to something called “Cross-site request forgery,'” he wrote. “This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in.

“I know some people who run some extremely high traffic (Alexa top 1000) Websites. I show them my idea, and we all agree that it is pretty funny,” he continued. “They put an invisible iframe in their Websites to refer people to the complaint URLs, which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.”

It’s a pretty neat trick, just embed an iframe into some heavily trafficked websites and every time they get visited your cross site request is sent and a vote/report is made.

It leveraged on the ability to report inappropriate content, I’m guessing from what happened that the Amazon system has some automated threshold for tagging stuff that’s reporting x number of times.

However, contrary to statements in Weev’s blog entry and some reports, the situation was not limited to gay-themed books.

“It has been misreported that the issue was limited to Gay & Lesbian themed titles—in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica,” Smith said in a statement. “This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon’s main product search.”

The situation has drawn the ire of some gay and lesbian rights groups concerned that gay-themed books were being censored. In addition, some authors have claimed in press reports that they received e-mails from Amazon.com stating that their books had been placed in an unranked Adult category and excluded from some searches.

At least they’ve acknowledged there is some kind of problem, they understand the scope and are working on fixing it.

I hope they are better than the average corporate and actually fix the root cause too, not just fix the fall-out and patch up the flaw.

Who knows, this may develop further.

Source: eWeek

Posted in: Hacking News

, , ,


Latest Posts:


Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.
zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors
Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.


3 Responses to Amazon Disputes Hacker Claims of Ranking Manipulation

  1. anony April 30, 2009 at 5:06 pm #

    They’re not the only ones who have been hit by this type of attack. Check out http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/ to see how Time got pwned.

  2. bob May 1, 2009 at 5:29 pm #

    Good for the hacker. Screw homos.

  3. Anonymous May 1, 2009 at 8:01 pm #

    @anony – Nice to see I’m not the only anon reading this board!

    @bob, I think some of them would like that. Well volunteered, sir!