Amazon backdoor exposed wishlist mailing addresses

There’s an article circulating right now about how Amazon customer service can be exploited to reveal targeted mailing addresses. I discovered and reported a similar vulnerability in December of 2014, which was reported to me as fixed in May of 2015. I haven’t publicly documented that process until now.

The vulnerability I discovered relates to Amazon wishlists. Users can associate wishlists with a private address, so that people can buy and ship them gifts without having the recipient’s private information. That address should be kept confidential throughout the entire process, but I found that third party shippers—routinely used for Amazon sites outside of the United States—would sometimes include it in confirmation emails.

In particular: I used to send a book to a friend, and Canada Post delivered her full address to me in an email. In this exchange, Amazon’s confirmation email properly showed my friend’s address as redacted, but Canada Post revealed it in its entirety.

Amazon confirmation

That would be unacceptable in any circumstance. But it’s all the worse because some of the people who use Amazon wishlists are especially vulnerable to targeted harassment. The service is popular, for instance, among camgirls and sex workers accepting gifts. I’ve also seen wishlists from Twitter microcelebrities, who get occasional threats and unwanted creepy overtures, as well as wishlists from women who are trying to get some support after leaving an abusive domestic situation. For many of these people, a revealed address can be devastating.

I contacted Amazon Security via email, 1They make a PGP key available, but only distribute it over unauthenticated HTTP. All the more reason Amazon should switch to entirely HTTPS. and got a confirmation number and a response from a human that it had been assigned to somebody. The fix, introduced in May, seems to simply removed the second confirmation email direct from Canada Post.

My email to Amazon Security

Amazon Security fix

Although the five month window to fix this situation seemed too long to me, I didn’t want to go public until it had been addressed. An attacker who knew about this vulnerability could easily exploit it for the cost of the cheapest item on a particular wishlist, and the only fix a user could make was removing their address entirely.

Given that particular combination—easy, cheap exploitation, and no alternative path to security—it seemed irresponsible in this case to disclose the problem publicly. Others may disagree.

This isn’t the first time wishlists have inadvertently leaked address data—it happened at least once before in 2011. Nor do I know for sure that the fix has been applied worldwide, as I only tested in Canada. Unfortunately, for people who could face threats if their address were revealed, Amazon seems like a dangerous service to share it with.

1 They make a PGP key available, but only distribute it over unauthenticated HTTP. All the more reason Amazon should switch to entirely HTTPS.

Published by Parker Higgins

I'm the Director of Special Projects at the Freedom of the Press Foundation, and previously led copyright activism at the Electronic Frontier Foundation. I live and work in Brooklyn, New York. more »

Join the Conversation


  1. I doubt it’s been fixed worldwide as I’ve reported the same issue to Amazon UK. I made the point that it could expose shelters and safe houses for domestic abuse victims etc. but was told that it wasn’t a bug/flaw and that it wouldn’t be fixed as the issue was covered in the terms of service.

    If you read the terms that you have to agree to when creating a wishlist you’ll actually see that they allow the address to be passed on to anyone in order to fulfill delivery and I was told this includes the person who ordered off the wish list. It’s stupid though as sending the person who ordered details of the delivery is useless as they won’t be the person receiving so knowing when a parcel will be delivered won’t help make sure anyone is in.

    I still think it’s a privacy hole, but I specifically didn’t blog about it myself as they claimed they wouldn’t fix it and I didn’t want to make the issue more widely known to avoid it being abused.

  2. My friend runs a twitch stream and wanted to put an amazon wishlist up like what alot of the cam girls do. He added lots of stuff up to the list and i ordered as a test. I ordered something from a company that was selling on Amazon. I then requested to confirm the shipping information and they sent back my friends full delivery information to me.

Leave a comment

Your email address will not be published. Required fields are marked *