(no subject)
(I wrote this initially as a comment in http://pamshouseblend.com/diary/10412/amazon-backpedals-blames-glitch. Someone asked for an IT professional to translate to layman's terms the exploit described at http://community.livejournal.com/brutal_honesty/3168992.html )
I make no claims about whether he actually did it or not, but it's certainly a plausible explanation. As both a computer professional and a very out gay man, I find this believable enough to think Amazon committed no acts of bigotry. Their web application security standards could use a review, though. Even if this particular Bad Guy didn't do it, someone else very easily could have, using a technique similar to what he described.
Let me translate the Bad Guy's post...
1) First, he wrote a small program to get a list of all LGBT books on Amazon. This is pretty easy to do. Imagine going to a page that lists their "Gay and Lesbian" section, writing down the ID number of all the books you see, and repeatedly hitting "next".
2) Amazon has a "community moderation" system. If an Amazon user thinks a book is objectionable in some way, you can flag it. But there's a problem with their system. It's vulnerable to something called an "cross-site request forgery", or "XSRF". Imagine if Amazon had a webpage that let you donate $5 to Lambda Legal. Normally, Amazon wants people to be given a confirmation page before they actually do the donation. But imagine you can short-circuit that, and get people click on the "submit" button, without going through the confirmation page. If I can make that short-circuit look like a regular link, and mail that to a million people, some percentage of them will click the link, not knowing what it is, and have money donated without the confirmation page.
There are a couple of ways to force people to go through the confirmation page. Amazon apparently didn't do that for the community moderation "report something as objectionable".
3a) Bad Guy then notes that he has a friend who works at Alexa.com, a high-traffic website that generates reports on web page traffic. They're sort of like what AC Nielsen does for TV. Lots of people go to Alexa.com every day. The bad guy's friend inserts what's called an "invisible iframe" on some Alexa pages. When an innocent user like me is signed in to Amazon, and then we go to the Alexa page with the iframe, it fetches the Amazon community moderation link automatically. There's nothing nefarious about iframes per se- many other things are fetched automatically when you visit a page, like picutres. The problem is that the link in this iframe does the "report this randomly selected LGBT books as inappropriate" action. Because the confirmation page at Amazon isn't required (that's what makes this an XSRF), I never realize that I just flagged as objectionable a book on LGBT couple legal advice (and I totally love legal advice for me and my husband!).
3b) As an extra step, Bad Guy also hires a bunch of people in China and India to create a whole bunch of fake Amazon accounts for him. They send him the usernames & passwords, and Bad Guy again writes a little program that logs in as those fake accounts and start to flag all the LGBT books as objectionable.
3a & 3b do exactly the same thing, he just did them both to get more books flagged, and faster.
4) GUESS ON MY PART: An Amazon customer service rep starts getting complaints about all the LGBT books being flagged. The rep checks one or two books in question, sees that they've been flagged due to community moderation, and sends the form letter response.
I make no claims about whether he actually did it or not, but it's certainly a plausible explanation. As both a computer professional and a very out gay man, I find this believable enough to think Amazon committed no acts of bigotry. Their web application security standards could use a review, though. Even if this particular Bad Guy didn't do it, someone else very easily could have, using a technique similar to what he described.
Let me translate the Bad Guy's post...
1) First, he wrote a small program to get a list of all LGBT books on Amazon. This is pretty easy to do. Imagine going to a page that lists their "Gay and Lesbian" section, writing down the ID number of all the books you see, and repeatedly hitting "next".
2) Amazon has a "community moderation" system. If an Amazon user thinks a book is objectionable in some way, you can flag it. But there's a problem with their system. It's vulnerable to something called an "cross-site request forgery", or "XSRF". Imagine if Amazon had a webpage that let you donate $5 to Lambda Legal. Normally, Amazon wants people to be given a confirmation page before they actually do the donation. But imagine you can short-circuit that, and get people click on the "submit" button, without going through the confirmation page. If I can make that short-circuit look like a regular link, and mail that to a million people, some percentage of them will click the link, not knowing what it is, and have money donated without the confirmation page.
There are a couple of ways to force people to go through the confirmation page. Amazon apparently didn't do that for the community moderation "report something as objectionable".
3a) Bad Guy then notes that he has a friend who works at Alexa.com, a high-traffic website that generates reports on web page traffic. They're sort of like what AC Nielsen does for TV. Lots of people go to Alexa.com every day. The bad guy's friend inserts what's called an "invisible iframe" on some Alexa pages. When an innocent user like me is signed in to Amazon, and then we go to the Alexa page with the iframe, it fetches the Amazon community moderation link automatically. There's nothing nefarious about iframes per se- many other things are fetched automatically when you visit a page, like picutres. The problem is that the link in this iframe does the "report this randomly selected LGBT books as inappropriate" action. Because the confirmation page at Amazon isn't required (that's what makes this an XSRF), I never realize that I just flagged as objectionable a book on LGBT couple legal advice (and I totally love legal advice for me and my husband!).
3b) As an extra step, Bad Guy also hires a bunch of people in China and India to create a whole bunch of fake Amazon accounts for him. They send him the usernames & passwords, and Bad Guy again writes a little program that logs in as those fake accounts and start to flag all the LGBT books as objectionable.
3a & 3b do exactly the same thing, he just did them both to get more books flagged, and faster.
4) GUESS ON MY PART: An Amazon customer service rep starts getting complaints about all the LGBT books being flagged. The rep checks one or two books in question, sees that they've been flagged due to community moderation, and sends the form letter response.