Feeds

back to article Amazon button leaked user traffic

Amazon is the latest company to come under fire for misusing its browser extension bar, with security researcher Krzysztof Kotowicz accusing the company of invading privacy via its 1Button extension for Chrome. The blogger, in a post entitled Jealous of PRISM? Use "Amazon 1 Button" Chrome extension to sniff all HTTPS websites! …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Why do people install these things?

Seriously - I don't understand what motivates people to install these things.

Hell, I deny Amazon the right to set cookies or run Javascript until such time as I choose to make a purchase, then enable cookies and Javascript from Amazon only for the duration of the transaction, and then disable it when I am done. I know that any site I go to that has an Amazon ad can leak information to Amazon should I allow JS and cookies from Amazon normally.

10
0
Anonymous Coward

Re: Why do people install these things?

@DDH - There's probably no specific motivation. More like a lack of awareness and understanding.

They're presented to punters in a nice friendly way leaning heavily on brand-awareness and the convenience.

We all trade security for convenience on some level, otherwise we'd never use the internet at all. There's a number of measures I know I should take but frankly, I simply can't be arsed so I accept the risks.

The average punter cares even less than I do.

2
0
Silver badge
FAIL

Re: Why do people install these things?

More to the point, why do browser publishers continue to allow these abortions to exist at all?

"Browser extension bar" == GIANT SECURITY HOLE.

7
0
Anonymous Coward

Finally

A story like this that isn't about Android!

2
1
Silver badge

Re: Why do people install these things?

"@DDH - There's probably no specific motivation. More like a lack of awareness and understanding.

They're presented to punters in a nice friendly way leaning heavily on brand-awareness and the convenience."

I think in some cases they are offered as part of something else, so there's a tick box to clear if you don't want it, and the average punter seems to be incapable of reading things like that, let alone deciding to remove the tick.

I've been asked to look at people's browsers on countless occasions because "it's slow" and/or "it doesn't show a lot of the page" and the reason "it's slow" and/or "it doesn't show a lot of the page" is because so much real estate in the window is taken up with stupid extension bars.

I used to ask why they installed the bars, but the most common response was "I didn't know I had - it just appeared one day," so now I don't bother asking.

1
0
Silver badge
Mushroom

Re: Why do people install these things?

More to the point, what does Amazon think it is doing?

Report back to Alexa or anywhere else? WHY!

This should cost at least a 20000 grand of fine.

3
0
Devil

Re: Why do people install these things?

+1

Shopping toolbars are notorious for snooping and often buggy.

0
0
h3
Bronze badge

Re: Why do people install these things?

The Oracle Java updater installing the Ask toolbar is worse at least this you need to manually install. (Even more annoying is it doesn't even try to install the toolbar on server based os's).

0
0
FAIL

Re: Why do people install these things?

Yep, it's a trade-off that I am *explicitly* giving permission to do. I'm a manic control-freak on my systems, and any external system I get my grubbies on. IOW a bastard engineer from hell :). Farther down, someone points out that users are trained to implicitly give permission when they just click through all the pup-up requesters/windows. And that's where the whole thing is wrong.

For instance, I spent most of a day uninstalling "trial" internet security packages off one system. It wasn't hard since I was doing other stuff, but four of these were installed, all live-scanning, and it'd take hours just to get to the desktop. After I zeroed them and installed a real, licensed, security package, I went through and updated all the software. There were a hell of a lot of them that wanted to put all those packages back on, and the user would likely click on through.

Can't fault the users. And it ain't all to blame on the browser developers. Conditioning at its worst.

0
0
Bronze badge
FAIL

Re: Why do people install these things?

I've been asked to look at people's browsers on countless occasions because "it's slow" and/or "it doesn't show a lot of the page" and the reason "it's slow" and/or "it doesn't show a lot of the page" is because so much real estate in the window is taken up with stupid extension bars.

Do you mean like this?

http://www.woosk.com/2008/08/friends-dont-let-friends-use-ie.html

0
0
Silver badge

Offer it free and say it can save time or has a useful feature or two...

...there's always someone who will fall for it.

0
0
Anonymous Coward

Facebook buttons

Not on the same scale but more pervasive, most, if not all facebook links report your browsing back to face book " by the url they send, Just in case you want to like the page" I assume.

Redirect facebook somewhere else and create a browsing history from failed like button lookups.

If you don't have a facebook account when did you give them permission to watch your browsing?

3
0
Anonymous Coward

Deir Sir/ Madum,

I work fore Prince Bukshop IV of Nigeria. He is lucking for kind person like yuo to recieve wonderfuel gift. It is amazin offer. Pleeze find attached a wonderfuel button fore youre web browser. Install an it will safe you much time.

Best wishes,

Amazon.ng

2
0
Silver badge

This part is meaningless:

http://www amazon.com/gp/bit/toolbar/3.0/toolbar/httpsdatalist.dat

http://www.amazon.com/gp/bit/toolbar/3.0/toolbar/search_conf.js

“Yes. The configuration for reporting extremely private data is sent over plaintext HTTP. WTF, Amazon?”

They are common data files, accessible to anyone anyway. The only downside to not using https is that it is more susceptible to MITM modifications, not that a sniffer could read them.

1
0
This topic is closed for new posts.