CassandrichFeb 26

PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:

Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.

In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.

Show threadAlex RFeb 26
@dalias every single engineer I've seen talking about this has immediately identified this attack, so it's guaranteed that this will be exploited right away if it goes ahead (and also that Amazon absolutely knows about it)
Show threadCassandrich
@alex They obviously knew about it since the beginning. That's why gifts were limited to fulfilled-by-Amazon. Then some piece of shit manager with no understanding of safety wanted to make the sketchy marketplace more lucrative to sellers to compete in race to bottom.
Feb 26 at 3:36pmWeb
Show threadAlex RFeb 26
@dalias exactly. They could also have trivially made wishlists with that setting private, which would at least limit the immediate harm, but that doesn't goose the wishlist metrics