Remote denial of present (DoP) attack via Amazon wishlist

I placed eleven items this year into my Amazon wish-list for my family and girlfriend to pick from and all were quickly purchased.

A few days later my mother asks if I can put some items to buy because after purchasing one or two the others have now gone.

My brothers don’t have debit cards, my sisters have limited net access my girlfriend claims she hasn’t brought them and nobody else knows about it.

Either I’ve got a secret Santa fulfilling my every Amazon wish or… somebody is executing a remote denial of present attack upon my Christmas!

How it works is simple.

  1. Find the Amazon wish-list of the target
  2. Buy items from the wish-list but ship to your own address
  3. Enjoy the items yourself
  4. Rejoice in knowing the target is deprived of the item now that Amazon believes he will get it

It’s pretty evil.

The only way I can see that Amazon would be able to prevent this attack is to either let you pre-select other Amazon accounts that are able to use your wish-list or to be able to see who brought what.

Ho-ho hum,

[)amien

3 responses

  1. Avatar for steve

    I'm curious - what happened in the end about this? Did you get the items that were removed after all? We (Marie & I) have regularly used wishlists for birthdays and xmas (and didn't suffer a DoP attack) and I'm wondering if it's a problem waiting to strike...

    steve 4 January 2007
  2. Avatar for Damien Guard

    It's a very dull end to an otherwise interesting blog post.

    My girlfriend was telling fibs and had brought 4 of them.

    Seems it's safe for another year although now I've published the exploit... ;-)

    Damien Guard 4 January 2007
  3. Avatar for steve

    Haha, a happy ending after all then.

    steve 4 January 2007