Glitch at Amazon.com Exposes E-Mail Addresses

Customers not immediately informed of security problem

An apparent glitch in Amazon.com Inc.'s computer system has released the e-mail addresses of some of Amazon's customers to another customer who participates in the company's Associates program.

Associates link to Amazon.com items on their own Web sites. They earn referral fees of up to 15% per item when a visitor follows a link and makes a purchase at Amazon.com.

Associates user Dave English said that when he logged on to Amazon.com's Associates' page two weeks ago, it accidentally exposed other users' e-mail addresses to him.

"If you go to the Amazon Associates program log-in page and choose to have it e-mail you your password, it complains that the e-mail address you entered is invalid [even if it is fine]. Then, if you hit the Refresh button, you can end up seeing other e-mail addresses of other folks trying to retrieve their password as well," said English, president of Nashua, N.H.-based Strategies Online Inc., which provides software quality-assurance services to local software companies.

English said he believes the problem lies with the script that handles the log-in process, and isn't an overall design flaw.

Delayed Response

Although English notified Amazon about the problem on Aug. 31 - he provided Computerworld with a reply from the company dated Aug. 31, saying it was investigating the matter - he said that he was still able to access other users' e-mail addresses last week.

Amazon.com didn't respond to requests for comment.

Andrew Shen, an analyst at the Electronic Privacy Information Center in Washington, said Amazon.com or any other online company notified of a security breach has a responsibility to respond as quickly as possible and to notify customers about the problem.

"When [customers] provide personal information to a company's Web site, they expect that information to be protected," he said. "There's no such thing as perfect security, but you have to respond quickly." However, Shen said, there is very little incentive for online companies to do so.

"There should be some sort of legal penalty for companies that don't respond to notification of a break-in, in order to force companies to be more responsible," he said.

English said any developer could write a program in about 10 minutes that would automatically refresh the page and grab e-mail addresses. English provided Computerworld with some of the e-mail addresses that he said he shouldn't have been able to see.

"I could leave it running all day and easily scoop up hundreds of thousands of addresses if I wanted to," he said. "Of course, I have no plans of doing this, but a spammer or [Amazon.com's] competition would."

Richard Smith, chief technology officer at the Denver-based Privacy Foundation, a privacy research organization, said English's discovery isn't unusual. "It does happen [that] a glitch at a Web site gives out visitors' information," Smith said. "It seems like it could be a bug in the Web server program. This is one of the things that crops up."

In contrast to Amazon, another online retailer, Danish home furnishings vendor Ikea International A/S, responded to a recent security breach as soon as it learned of the problem.

Rich D'Amico, business development manager at Ikea North America Services Inc. in Plymouth Meeting, Pa., said that at about 8 p.m. on Sept. 3, someone broke into and downloaded a database file containing the names, addresses and telephone numbers of people requesting catalogs.

"We took it down completely so we could investigate it, and it's still down because we haven't finished yet," D'Amico said. "Whoever did this had a lot of [technical expertise], because he got around our high level of security."

Ikea is sending an e-mail to customers who were affected by the security breach, informing them of what happened.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon