PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias Thanks for this. Does this apply to Audible too?
-
The only mitigations are refraining from using public wishlists entirely (set any wishlists you may have to private) or using a PO box or reshipping service to conceal your real physical/final address.
@dalias id go a step further and recommend people stop making Jeff Bezos richer in general.
-
@Ragashingo @dalias that's what they're taking away, as I understand it. So I think it's the case _now_, it will shortly _not_ be the case.
So if you're lucky, you can now get the same thing from a third-party seller. If you're mid-lucky, you can get something passing itself off as the same listing from a third-party scammer. If you're unlucky, your address gets leaked to a third-party stalker.
Clearly I wasn't the only person who read that mail this morning and thought "oh no".
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias fixed and told the family
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias
Come on guys, we sit on mastodon lamenting the sorry state of the world, and then everyone signs into an amazon account??? If our actions are to give money to an organization that aggressively works to destroy the middle class and liberal democracies world wide, then our words are meaningless...
Quoting The Disposable Heroes of Hip-Hopricy: hypocrisy is the greatest luxury....
-
@Ragashingo @dalias that's what they're taking away, as I understand it. So I think it's the case _now_, it will shortly _not_ be the case.
So if you're lucky, you can now get the same thing from a third-party seller. If you're mid-lucky, you can get something passing itself off as the same listing from a third-party scammer. If you're unlucky, your address gets leaked to a third-party stalker.
Clearly I wasn't the only person who read that mail this morning and thought "oh no".
@_calmdowndear @Ragashingo Amazon should have been stopped in their tracks when they first allowed third parties to link their counterfeit items as just being a different seller for the same genuine item, rather than a separate product listing.
The whole late-capitalist fascist hell we're in is a consequence of letting companies do things that were long-illegal and would have been prosecuted as racketeering if not for "with computers" tacked on to the business plan.
-
@dalias
Come on guys, we sit on mastodon lamenting the sorry state of the world, and then everyone signs into an amazon account??? If our actions are to give money to an organization that aggressively works to destroy the middle class and liberal democracies world wide, then our words are meaningless...Quoting The Disposable Heroes of Hip-Hopricy: hypocrisy is the greatest luxury....
@TrimTab We're not "lamenting" it. We're doing safety outreach to get information to people who might suffer real harms if they don't know about it.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias ah that was the mail Amazon sent. They have sent and explained that in a mailβ¦
-
@rugk They didn't explain that "third-party sellers" means "anyone who signs up for a seller account, possibly the same person as the 'buyer' who just wants to get your address".
-
The only mitigations are refraining from using public wishlists entirely (set any wishlists you may have to private) or using a PO box or reshipping service to conceal your real physical/final address.
@dalias so to be clear, just setting the lists private is an immediate mitigation?
I haven't touched this feature since... apparently 2020 (and have only ordered one thing from Amazon since WaPo declined to endorse Harris and I dropped Prime like a hot potato). if I can take it private now and reconsider the existence of these lists entirely when I have more time to do so, that is better for me.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias I donβt understand why anyone would ever want a public wishlist, even disregarding stalkers and the like. Seriously, how is it of public interest that youβd like a new bathrobe?
-
Note that even PO boxes are not particularly safe against a dedicated stalker. They can stake out the PO for someone picking up a distinctive package once they know what PO it's at.
@dalias must be missing decision log or something, like they fired the guy making the original assessment of the security issue and the information was lost -
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias Thankfully I have no wishlist. I just add items to the cart and leave 'em there indefinitely until I decide to purchase at a later date, or remove them if I don't. I rarely order anything at all online since most stores have what is commonly available.
-
@dalias so to be clear, just setting the lists private is an immediate mitigation?
I haven't touched this feature since... apparently 2020 (and have only ordered one thing from Amazon since WaPo declined to endorse Harris and I dropped Prime like a hot potato). if I can take it private now and reconsider the existence of these lists entirely when I have more time to do so, that is better for me.
@draNgNon That's my understanding.
-
@dalias I donβt understand why anyone would ever want a public wishlist, even disregarding stalkers and the like. Seriously, how is it of public interest that youβd like a new bathrobe?
@jpkolsen It's a way for fans to compensate people whose work they appreciate who can't easily take payment. AIUI one big place this comes up, and where doxing is a huge threat, is sex work. But really for anyone doing things where there's a parasocial relationship with an audience the same applies.
-
A Angela shared this topic
