Amazon doesn't use HTTPS to show your purchased items

Over on Smerity’s blog, he details how someone could see what items you have purchased on Amazon, as Amazon serves that information using HTTP.

If you were to browse Amazon right now and someone was eavesdropping on your connection, they could tell exactly what you were looking at. Even if you’re logged in, all item browsing takes place over HTTP. This is tremendously odd given that it’s 2015 and encryption is well and truly fast enough for the masses…

It’s weird that Amazon hasn’t encrypted all of this traffic over HTTPs, and according to someone on HackerNews, they plan to move everything over to HTTPS by September. Let’s hope they do!

On top of not having HTTPS, they also have cookie reuse which they say is by design and won’t fix. Oh, they also have XSS that works in an old version of IE. You can read a full write-up of all the problems at https://planetzuda.com/2015/04/04/amazon-cookie-reuse-security-hole/

1 Like