Skip to content

Remote denial of present (DoP) attack via Amazon wishlist  

I placed eleven items this year into my Amazon wish-list for my family and girlfriend to pick from and all were quickly purchased.

A few days later my mother asks if I can put some items to buy because after purchasing one or two the others have now gone.

My brothers don’t have debit cards, my sisters have limited net access my girlfriend claims she hasn’t brought them and nobody else knows about it.

Either I’ve got a secret Santa fulfilling my every Amazon wish or… somebody is executing a remote denial of present attack upon my Christmas!

How it works is simple.

  1. Find the Amazon wish-list of the target
  2. Buy items from the wish-list but ship to your own address
  3. Enjoy the items yourself
  4. Rejoice in knowing the target is deprived of the item now that Amazon believes he will get it

It’s pretty evil.

The only way I can see that Amazon would be able to prevent this attack is to either let you pre-select other Amazon accounts that are able to use your wish-list or to be able to see who brought what.

Ho-ho hum,

[)amien

3 responses  

  1. It’s a very dull end to an otherwise interesting blog post.

    My girlfriend was telling fibs and had brought 4 of them.

    Seems it’s safe for another year although now I’ve published the exploit… ;-)

    Damien GuardJanuary 4th, 2007
  2. I’m curious – what happened in the end about this? Did you get the items that were removed after all? We (Marie & I) have regularly used wishlists for birthdays and xmas (and didn’t suffer a DoP attack) and I’m wondering if it’s a problem waiting to strike…

    steveJanuary 4th, 2007
  3. Haha, a happy ending after all then.

    steveJanuary 4th, 2007

Respond to this