I can manipulate your amazon.com recommendations (opens in new tab)

I can think of two evil uses for this:

#1: If you're an author who also runs a blog, you can make Amazon "recommend" your book to your visitors.

#2: The Amazon referral tag is included in the iframe. If I recall right, once you visit an Amazon page with such a tag, that gets set for your entire session and the referrer gets credit for everything you buy. This means if I embed this my website, and you visit, I will get a cut of all your Amazon purchases. Automatically.

(As stated below this will probably get you banned before you can receive payment, sadly)

X-Frame-Options (in supported browsers) prevents the result of a request from being rendered in the browser, it doesn't prevent the request itself from being made. So does X-Frame-Options actually prevent this? Is the change to your recommendations made by an AJAX callback when you view the page? I would've assumed it was made by the pageview itself.

1. clicked through as described 2. Carnegie's book not on my list

either Amazon fixed this already or it never worked in Chrome? or something else.

So, it's going to be a matter of time before some hacker's "Learn to be successful with no effort, pick up chicks, lose weight, and make money in your free time" book rockets to number 1.

This is such a simple hack that I am shocked it took this long for someone to try it.

That's nothing special actually.

The Amazon recommendations module is definitely buggy, but it works for their purpose and as long as they can cope with "marketplace manipulators" they're okay. Oh they can't.. well you know they are one of the largest Marketplaces, they will find a solution quickly.. http://news.ycombinator.com/item?id=2475854 Oh, they can't even fix that? Well what needs to be said, needs to be said.

Thanks for your find middus!

And in the mean time, all HN readers who visited the page with the iFrame got cookied with an Amazon affiliate cookie of the "Hacker" writing about this!

> X-Frame-Options response header is set to SAMEORIGIN

So break every iframe on the net to fix Amazon's lazy approach to recommendations?

Tangent: Thanks for disclosing your Amazon referral link. I don't mind when people use them, but they always seems much more polite with a disclaimer on the page.

After a conversation with a co-worker about how products followed him around on amazon, I had the same thought of providing a series of "funny" recommendations using this method.

The only problem would be researching the funny products would probably skew my results as well (unless I was careful and viewed incognito mode)

There are so many reasons that looking at an item doesn't mean you're interested in buying it (or, a least not buying it for yourself) that I'm surprised that such minor signals like that still radically alter your recommendations. The system doesn't seem particularly smart.

Hack works on Android Browser.

Why the iframe stuff and not just Javascript to send requests to amazon.com?

I thought about this for a minute, then I thought "who cares". If I go to someone's web site and they set my amazon recommendations to buy their merchandise that they are setting, couldn't they have just showed me the same thing on their site with a link to Amazon? Couldn't they just as easily redirected my browser to the amazon page or tried opening up a popup to go to their produce there? amazon's recommendations are based on what you viewed or searched for last. How often do you go to amazon to find something to buy? I go there to find something I already know that I want - and I then search for it.

Seeing their recommendations for some merchandise that I also saw on a different website earlier does not affect me in any way, in fact I don't even look at the recommendations. I type in what I am looking for and hit enter (boom, old recommendations are gone).