Amazon: Caught In The Act

The drama played itself out on Monday like a Shakespearean farce in several acts.

Act I: a flutter of Twitter broadcasts, tagged "amazonfail," declaring that Amazon.com had wronged the gay and lesbian community by removing adult books, namely gay romance novels, from its ranking system and search results. This was the people's call to arms. Amazon's move was denounced as an outrage. Amazon itself countered, suggesting that the problem was merely a technical glitch. The bits flew.

Act II: a battle-worn system engineer floated the theory that the whole thing might all be a ruse, a clever prank. The target? Not the gay community, but rather Amazon's thin holiday-weekend support staff and a trigger-happy Amazon communications team.

Enter "Weev," stage left (think: Shakespeare's Puck). Weev is a high-profile "Internet troll" known for milking the public for laughs. But he's a decorated cyberfiend, too, and the kind of guy you might take seriously if he claims responsibility for crippling someone else's system.

"Who else trolls via moral outrage?" mused Weev in his post. "Not many in the scene that I know of."

By the end of this scene, Weev points to a very real security hole in Amazon's structure, something called "cross-site request forgery." This is a technique hackers exploit to victimize users of a Web application by performing unauthorized actions on their behalf. While typical attacks may involve purchasing something or resetting a user's password, Weev claims he used the technique to flag Amazon's content as inappropriate--an otherwise harmless list of books tagged with LGBT metadata.

End of scene. But the story? This could be just the intermission.

A grand finale may unfold over the next few days. Savvy Web-goers will remember that a version of this drama has been played before. Some very clever security journalists have fallen for the pranks in the past.

It could be, of course, that Amazon's "gitch" was indeed created by someone outside the company. Weev might be the mischievous culprit, just as he has declared. Those who had been steaming at Amazon are already forgiving Weev, and even giving him a virtual high-five for a clever stunt. "this is the first post you've made that I enjoyed. awesome work dude," commented xulong on Weev's page.

Then again, claiming credit for the snafu could itself be a prank--by none other than Weev.

Amazon's tech team in Seattle has some serious cyberdigging ahead to sort out exactly what happened. The only thing that will certainly be brief about this episode is the caption that Weev offered for it: "how to cause moral outrage from the entire Internet in ten lines of code."

See Also:

Steal This Database

The Feds' Timely Cyber Alarm

Conficker's Viral Marketing Campaign

I am a developer in the Operations Research group at Forbes, formerly a staff writer on the editorial side. Have something I should see? Send it to buley.reports@gmail.c...