When you sign up, your Amazon email and password are sent to server using GET and so are visible in the URL. While the request is done over HTTPS (and traffic snoopers can't see it), it is very likely that there are a ton of Amazon credentials lying around unencrypted in a log somewhere on their server.
For some reason, the "Norton Secured" badge makes me less likely to trust the site and looking at the inline, not very well written Javascript gives me even less confident that the guys behind this site have the technical chops to keep my data secure.
According to one of the founders, "Login with Amazon" doesn't grant access to a user's Amazon account.[1] If they were using it, there would be no need to ask for users' passwords.
I can't speak broadly, only from my personal reaction. I also left the site after seeing the Norton logo (and before reading the comments here), because it seemed completely misplaced. I associate Norton with cleaning my computer of badware, not of whether or not some just-launched service is treating my data securely.
Because it seemed out of place, it felt like it was an obvious tactic to bootstrap trust where there wasn't any. A better icon (for me) would have been a badge from your SSL provider, or even just some well designed lock icon.
Wow ... good call on the logs ... curious to hear whether they plan to change from GET to POST. Still wouldn't be comfortable, but seems like something they should do, like right now
Can you briefly explain how to analyze for that, using non-dev tools like Chrome Inspector? I used 'Inspect Element', but found 'Post' on the popup form:
Using the Chrome Dev Tools, you can record the network requests that occur using the Timeline tab.
It's actually using GET to their server and something unknown to Amazon (that would most likely be server to server and not accessible over Javascript).
Although the method on the form is POST, it has an onsubmit handler which calls the connect_amazon2() JS function (which makes a GET AJAX request on line 311) and then returns false, preventing the form from being submitted.
Yes, the Chrome Dev Tools are probably the easiest way to take a look at this type of information. I actually used Safari, but Chrome's tools are much easier to use.
It seems the form submit is being cancelled by the "return false" in the onsubmit, meaning that the form won't be posted normally and that method="post" irrelevant.
The connect_amazon2() must be making the GET request.
Agreed. My understanding is that having your password does not necessarily allow someone to see your CC number or order things on your behalf through Amazon, but it definitely does not seem like a best practice to go around handing out one's Amazon password. This sort of thing sounds like a good argument, though, for Amazon's implementing the sort of fine-grained permissions (in conjunction with a federated authentication system like oauth) one finds on twitter, FB, Google, and other services with a well-developed API and ecosystem. I would happily authorize a site like this to view my order history, even if I would not be willing to provide my password.
Also highly risky is AWS. Maybe an attacker can't order diamond rings for themselves, but they certainly could spin up a million EC2 instances to mine bitcoin.
The cost efficiency is terrible of course, but what do they care.
How could having your password not allow someone to order things on your behalf? All I need to get into my account is my password, and then I can order anything I want.
Fair point. They can order things on your behalf, but cannot easily order things for THEMSELVES on your behalf since they can't enter a new shipping address without reentering the card number. But that doesn't totally eliminate the risk. They could be prepared to swipe the stuff off your porch when it's delivered (since they could predict when this would be) or they could use their power to simply harass you.
I wonder why more sites don't allow you to create a second read only set of credentials for your account. This would solve a lot of trust issues when using a service like this or say for online banking services like Mint. If you want to stream Netflix/Amazon from an insecure computer would be another use case.
Is there anything we could do to make you (and many more with the same sentiment) more comfortable? We are thinking of writing a blog post of what happens in the background would that help? Any other ideas?
There is absolutely nothing you could say or do that would make me give you my password. Also, I assume, you need to store it in the clear to use it.
You claim to not have access to credit card information or being able to order something, but I already have to trust you to believe that claim. Also, Amazon could change their policies at any time -- after all you have credentials, Amazon could decide to trust you.
You could definitely verify that claim:
1) Try to extract your credit card from your account
2) Order something to a new address without having to verify your credit card.
The second one is possible with nothing other than an Amazon order number and some human social engineering; earlier this summer I got hit with someone who gained access to my Amazon order number for an Xbox One (I assume this happened because I was recycling my physical Amazon pack-in invoices [which included the order number] without shredding them), that person chatted with an Amazon CSR and got them to send a replacement order (saying the first never came) and even convinced them to send the replacement to another address that had never been associated with my account (which was a remailer service in Oregon). Even worse, they did this twice (two replacement orders for the same item sent to the same place staggered over 2 days).
I can imagine it would be much, much easier for such social-engineering replacement fraud to happen if someone actually had access to your account with all of its order number data in the clear.
They would be restricted to just reordering things you've already ordered in the past, but I imagine that it doesn't take too many incidents on your account (especially if they figure out you've given your password away freely to a third party) before Amazon shuts you down, with all of the pain associated with that if you're a prime/kindle/etc user.
This seems like a cool service, but there's no way in hell I'm giving anyone my Amazon password for any purpose.
I am not foolish enough to believe that my attackers are no more clever than myself. So whether I can extract my credit card from my account is not useful.
How about ordering a high-cost item from an attacker who sells on Amazon? How about AWS? How about Amazon Payments to order a service from
the attacker's site?
In order to trust you with credentials, it is necessary that you show you have thought everything through. The user needs to know that you will not leak credentials. It's a very high bar. You have simply failed to clear the bar.
Just an off-the-top-of-my-head idea: Could you give people a bookmarklet or an extension that they can run when they are on their order history page that exports all the Amazon product IDs?
I was going to write something similar to this. One issue, though, is that it doesn't necessarily track new purchases.
To do that as well, it needs to be an extension and it should also monitor whenever you buy something. If there is a concern that purchases might happen when on another computer, you could allow the user to enter their password into the extension so that the extension can monitor things for you in the background. While users don't have a guarantee that the extension is using the password securely, at least it is possible for the source code to be inspected.
You can actually download your entire order history as a CSV (which is kind of fun -- on the account page, find "Download Order Reports"), which could then be uploaded into this service to get a report on everything you've purchased. The only sensitive information included in the report is name and address.
There is no way I'm giving out my Amazon creds which also house AWS, Amazon Payments, Amazon Sellercentral, etc...
Much more cumbersome for users but I see a report option where you can generate .csv's of every item you ordered, maybe those could be uploaded to your service, but unfortunately if I can't use this service without handing over my creds I'm not going to use it.
> Is there anything we could do to make you (and many more with the same sentiment) more comfortable?
No. Asking people to give out their passwords is fucking horrific. You can't do anything with Amazon, but bad_guy could do something with $other_service and you're just encouraging people to be lazy with passwords.
It's hard enough to get people to choose good passwords and not store them in stupid ways.
I'm not sure, but Mint.com seems like a good place to look for ideas. They have somehow persuaded me and millions of others to hand over all our banking passwords.
Gaining this trust, though, will probably not be easy. One advantage a site like Mint has is that they have so much content and so many partnerships that it is clear they are not a scam, have enough at stake to not misuse my information, and probably have the resources to keep it safe. A site like yours, however, could easily have been cobbled together in a number of hours by a scammer. (I don't mean this as a criticism -- I actually like your site. It just doesn't have anything on it to suggest that you are the sort of business I can trust with my passwords.)
It helps at this point that Mint itself and its corporate owner Intuit have a long history of reasonably good online security (certainly better than some banks I've used), plus the whole "owned by Intuit" thing gives a solid paper-trail to keep anyone from recourselessly running away in the night with my information.
No. You can put anything you want in text or graphics on the screen. You need to send people to a secure amazon.com login page and pass an OAuth token.
I agree. If my Amazon credentials are stolen, here's what I have at risk:
- My credit card details (multiple)
- Shipping / billing addresses
- My private order history 5+ years
- Access to all my AWS instances
- Amazon Cloud Drive data
- And I'm probably forgetting a few...
With that being said, even services like Mint.com require handing over your bank's password to them even today. It's really not a good practice even if they are stored securely.
Tried Shelfflip, minutes later received this email from Amazon:
"Your Amazon.com password has been changed"
This is an important message from Amazon.com.
As a precaution, we've reset your Amazon.com password because you may have been subject to a "phishing" scam.
Here's how phishing works:
A scam artist sends an e-mail, which is designed to look like it came from a reputable company such as a bank, financial institution, or retailer like Amazon.com, but is in fact a forgery. These e-mails direct you to a website that looks remarkably similar to the reputable company's website, where you are asked to provide account information such as your e-mail address and password. Since that web site is actually controlled by the phisher, they get the information you entered.
Go to amazon.com/phish to read more about ways to protect yourself from phishing.
To regain access to your Amazon customer account:
1. Go to Amazon.com and click the "Your Account" link at the top of our website.
2. Click the link that says "Forgot your password?"
3. Follow the instructions to set a new password for your account.
Please choose a new password and do not use the same password you used with us previously.
You should not be collecting peoples' usernames and passwords, being a software engineer aware of the consequences, regardless of whether users are willing to give them up.
There are so many things that can go wrong, even if you've got the best of intentions.
Looks nice, but it just feels a bit weird to enter your amazon password with linked credit cards and bank accounts on another site. I'm aware that there's probably no better way of accessing that purchase history data but it's just something people are preaching for years shouldn't be done.
Agreed. However, even with your credentials, we wouldn't be able to access your credit card number (Amazon hides it). Additionally, if we would want to order anything in your name, but our address, we would have to reconfirm the credit card number, which we don't have.
You could, however, spin up or down EC2 instances associated with that account. You could easily destroy a business with this information, or bankrupt a person (well, Amazon is usually pretty good about forgiving accidental charges, but imagine explaining to them how someone got your credentials).
I am really sorry to hear that. We've experienced that once or twice before. This happens when the phone number associated with the account doesn't match the one you entered. Unfortunately, Amazon sometimes asks for an old phone number, as long as that number has at one point been associated with your account. ShelfFlip definitely doesn't do anything scammy.
What about going the "TripIt" route and let people forward their email receipts? You could parse and let people populate their accounts that way. I think you can even request old receipts for ones you've deleted.
Unfortunately I agree with everyone else and I was immediately wary when it asked me for my amazon credentials. There must be a better way to get this information.
Also these prices make no sense for when I search items directly. How can a flawless Nexus 7 2013 be worth only $70? Where can I buy them all?
> How can a flawless Nexus 7 2013 be worth only $70? Where can I buy them all?
It's worth $70 to them. They are buying to resell, and they can pay a lower price for the convenience of getting the item from your house and paying you instantly.
One can always sell it on eBay/craigslist and get a bigger price, but you'll have to deal with buyers, scammers, shipping, etc. It boils down to how much your time is worth and/or how fast you need the money.
Pricing is definitely one of our challenges. We are currently paying prices of around 80% of what we think is a fair amazon market value, while giving the user a hassle-free sales experience. (Our prices are not manually entered but automatically calculated [e.g. based on price on Amazon, prices on other recommerce sites, ...])
This (almost) always leads to prices that are higher than Gazelle's or NextWorth's while also offering the convenience of getting paid within 24 hours. (in SF)
I had a bad feeling as soon as I saw the "Let's find out button". When my fears were confirmed, I immediately closed the tab.
You HAVE to find a better way to do this. People are becoming increasingly aware of the risks of this kind of behavior on malicious sites, and potential users will walk away out of paranoia.
I don't feel comfortable giving my amazon login credentials like a lot of people here. I think Unioncy (https://unioncy.com/) has an interesting solution to this. They parse your emails for amazon receipts to figure out your amazon purchases.
Not only would I echo the "give a website my Amazon creds" argument, but what if I want to sell things I haven't bought from Amazon and/or (like me) you don't really buy things on Amazon?
I have lots of things I would like to sell and declutter, but none of them are from Amazon.
You can also sell products that you haven't bought on Amazon - if we show a price, then we are buying it (you can search for books / electronics here: www.shelfFlip.com/search.php).
I can't believe anyone would put their Amazon password into a third-party site. I clicked on the link, started through the login funnel, realized what I was about to do, and stopped.
When I got the "Are you sure?" message, I started thinking that the site was specifically crafted to show how easy it is to get people to give passwords to a "reputable-looking" third party.
I expected to get some sort of congratulatory message after saying no, like "You're smart enough to not give us your password!" When I didn't get that, I came back to the HN comments, expecting to see an explanation from OP about this proof of concept.
Then I see it's supposed to be a real site. Well then.
The simple login prompt for a different site is terrifying. Even if you can be trusted today, are you sure you won't hire an employee tomorrow who will sell all those passwords for fun and profit?
We offered a password-free option but it was too complicated (and thus, the users preferred the current option). We'll likely add the other option in the future (but only as an addition to the current option).
Asking me to enter my Amazon username and password makes this a complete non-starter. Might be the best idea in the world, but I'm not going to risk handing over my credentials for something as sensitive as my Amazon account to make a few extra bucks on some old stuff. There's just not enough risk-reward there for me (though with all due respect and in all honesty, it's unlikely there would ever be enough reason for me to hand over my credentials to some random startup)
I'm curious about the algorithm. Is there a ceiling for book prices? I seemed to get very similar results for multiple different types of books, including being offered $3.21 for one that sells for $100:http://www.amazon.com/gp/aw/d/0575066601?pc_redir=1405401886...
There is no ceiling in place (I need to look into why different books show similar results). For the mentioned book, there's a difference between for how much it is offered and for how much it is bought (if someone wants $100, it doesn't mean that anyone is buying it for that price)
Scanning 44 other book-buying sites, only 3 are buying that book and the price is between $0.12 and $3.97
Great idea. We have that actually implemented, but are currently not displaying it. Unfortunately people are even less likely to give a website access to their emails, since this often means giving access to pretty much everything (through "I forgot my password" emails)
We tried it ... however, the steps (go to Amazon, download the history, search it in your downloads folder and upload it on ShelfFlip) was a bit too confusing - so we don't offer that option (at the moment).
Great idea! I'm guessing you're checking the resale price on Amazon, and giving a price based on that?
I got frustrated with the process of listing / selling items on Amazon (I imagine a lot of it could be automated), and looked around for a service like this (and then added it to my 'side-project' idea list).
I looked into this and the price is now $472. (HN traffic is stress-testing our pricing engine) For this item, we relied on Amazon's trade-in price, which we want to get away from very soon. (because the prices are too low, imho)
Although this is a useful service, the Amazon Security team may block your site. Even if your site is trustworthy, this increases Amazon's liability for phishing attacks on other phishing sites.
A site that is not Amazon asked for my Amazon username and password. Uh, nope the fuck out of here. That account has access to my credit card information and home address.
For some reason, the "Norton Secured" badge makes me less likely to trust the site and looking at the inline, not very well written Javascript gives me even less confident that the guys behind this site have the technical chops to keep my data secure.