Why You Can Trust CNET Gaffe at Amazon leaves email addresses exposed
Just days after Amazon.com tightened its privacy policy, a bug in one of its Web pages exposes numerous email addresses of the site's Affiliate members.
Amazon spokesman Bill Curry acknowledged the flaw earlier today, and the company proceeded to fix the problem within several hours of being contacted by CNET News.com.
Dave English, who runs a software quality assurance company in New Hampshire, discovered the problem while trying to update his company's links for the Amazon Affiliate program, which pays members a commission when they refer shoppers to Amazon's stores.
The Web page that helps Affiliate members when they have forgotten their password was the source of the privacy breach.
When a person clicked the link to retain a member password, the box designated for email addresses became filled with other members' addresses. By briefly testing the page, CNET News.com mined several email addresses by refreshing the Web browser.
"If you enter an email address and then keep refreshing it, it will pop up another address," English said.
"The big problem here is someone could write a quick program in under 10 minutes to automatically keep refreshing the page and grabbing the email addresses," he said. "I could leave (the program) running all day and easily scoop up hundreds or thousands of addresses if I wanted to."
"It was a bug," Curry said. "The only thing it did was to reveal the email addresses of other associates; there was no account information and no customer information revealed at all."
Software flaws like this are commonplace on the Web. Home furnishings retailer IKEA shut down its catalog Web site yesterday after its database of detailed customer information was exposed to the public.
"There's a whole category of data spills where it's like, 'Oops, everyone can see everyone's email addresses or personal information,'" said Deborah Pierce, a lawyer at the Electronic Frontier Foundation.
As a result, consumer fear about sending sensitive information via the Web is growing. And Internet businesses are responding by issuing new privacy policies.
Last week, Amazon said it would email millions of customers about its new, revamped privacy policy.