PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize.
Uncategorized
36
Posts
24
Posters
1
Views
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias Thank you for sharing this.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
The only mitigations are refraining from using public wishlists entirely (set any wishlists you may have to private) or using a PO box or reshipping service to conceal your real physical/final address.
-
The only mitigations are refraining from using public wishlists entirely (set any wishlists you may have to private) or using a PO box or reshipping service to conceal your real physical/final address.
Note that even PO boxes are not particularly safe against a dedicated stalker. They can stake out the PO for someone picking up a distinctive package once they know what PO it's at.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias
It appears the change will roll out in Canada in March.
I've deleted all my public wishlists. -
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias was this not already possible? like i'm not sure how wishlists would work if the seller didn't know how to ship the product?
-
Note that even PO boxes are not particularly safe against a dedicated stalker. They can stake out the PO for someone picking up a distinctive package once they know what PO it's at.
@dalias I live in a rural area of my state. This means that everyone living here has to get a USPS PO Box
We get the double edged sword of
...dealing with entities and online vendors that do not accept our PO Box address as valid.
...but also that we are still suceptible to the privacy issues despote that our mail doesnt come to our physical location.
-
@dalias was this not already possible? like i'm not sure how wishlists would work if the seller didn't know how to ship the product?
@azonenberg Previously you could select that you only accept gifts fulfilled by Amazon. They just took away that ability.
-
Note that even PO boxes are not particularly safe against a dedicated stalker. They can stake out the PO for someone picking up a distinctive package once they know what PO it's at.
@dalias Or just mail you a tracker.
-
@azonenberg Previously you could select that you only accept gifts fulfilled by Amazon. They just took away that ability.
@dalias aha, ok.
I miss when amazon was a way to buy books directly from them and that was it...
-
@dalias aha, ok.
I miss when amazon was a way to buy books directly from them and that was it...
@dalias (and I also hate the tendency of everything from walmart to digikey to turn into a "marketplace" lately. At one point you could buy oscilloscope software options on walmart's website because TEquipment had a storefront there)
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias every single engineer I've seen talking about this has immediately identified this attack, so it's guaranteed that this will be exploited right away if it goes ahead (and also that Amazon absolutely knows about it)
-
@dalias (and I also hate the tendency of everything from walmart to digikey to turn into a "marketplace" lately. At one point you could buy oscilloscope software options on walmart's website because TEquipment had a storefront there)
@dalias just make a store to sell your products, and let me know i'm buying from you, a company i presumably trust to some extent. that's it, do one thing, do it well
-
The only mitigations are refraining from using public wishlists entirely (set any wishlists you may have to private) or using a PO box or reshipping service to conceal your real physical/final address.
@dalias
Never make a "wishlist" public, or share it. -
@dalias every single engineer I've seen talking about this has immediately identified this attack, so it's guaranteed that this will be exploited right away if it goes ahead (and also that Amazon absolutely knows about it)
@alex They obviously knew about it since the beginning. That's why gifts were limited to fulfilled-by-Amazon. Then some piece of shit manager with no understanding of safety wanted to make the sketchy marketplace more lucrative to sellers to compete in race to bottom.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias I'm hoping we can use this opportunity to get people off of Amazon.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias A couple of guys I trained with in martial arts, are in a paramilitary group, and are now planning a para-doxing welcoming committee.
-
@dalias Or just mail you a tracker.
-
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
@dalias holy shit, wow. I appreciate that heads up. Thank you.
-
@alex They obviously knew about it since the beginning. That's why gifts were limited to fulfilled-by-Amazon. Then some piece of shit manager with no understanding of safety wanted to make the sketchy marketplace more lucrative to sellers to compete in race to bottom.
@dalias exactly. They could also have trivially made wishlists with that setting private, which would at least limit the immediate harm, but that doesn't goose the wishlist metrics
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Current* conditions near Alexandria Bay, NY:
-
Inauguriamo la rubrica #laScuolaDimenticata #nonPiuScuola con un articoletto sulla #provaDelNove
https://wok.oblomov.eu/mathesis/prova-del-nove/
Menzione speciale alla #provaDellUndici che piace tanto a @mau
-
@cm that too
-
@afreytes Or did you just have it all in your head and just needed to type it now, while you spent your morning thinking about the problem at hand, searching reference docs, etc?
-
I... Uh... Lost all four hours of my morning's code...
And I redid all of it in 15 minutes. No I'm not that good. I just accomplished very little this morning.
-
@mattblaze Damn you for being nuanced Matt.
-
Luchè è stato da Tigotà e si è trasformato nel mostro peloso morbidoso
-
@RiversideBryan more prosaically, on first look I thought this was an outhouse 8-D
