When you sign up, your Amazon email and password are sent to server using GET and so are visible in the URL. While the request is done over HTTPS (and traffic snoopers can't see it), it is very likely that there are a ton of Amazon credentials lying around unencrypted in a log somewhere on their server.
For some reason, the "Norton Secured" badge makes me less likely to trust the site and looking at the inline, not very well written Javascript gives me even less confident that the guys behind this site have the technical chops to keep my data secure.
Wow ... good call on the logs ... curious to hear whether they plan to change from GET to POST. Still wouldn't be comfortable, but seems like something they should do, like right now
Can you briefly explain how to analyze for that, using non-dev tools like Chrome Inspector? I used 'Inspect Element', but found 'Post' on the popup form:
Agreed. My understanding is that having your password does not necessarily allow someone to see your CC number or order things on your behalf through Amazon, but it definitely does not seem like a best practice to go around handing out one's Amazon password. This sort of thing sounds like a good argument, though, for Amazon's implementing the sort of fine-grained permissions (in conjunction with a federated authentication system like oauth) one finds on twitter, FB, Google, and other services with a well-developed API and ecosystem. I would happily authorize a site like this to view my order history, even if I would not be willing to provide my password.
I wonder why more sites don't allow you to create a second read only set of credentials for your account. This would solve a lot of trust issues when using a service like this or say for online banking services like Mint. If you want to stream Netflix/Amazon from an insecure computer would be another use case.
Is there anything we could do to make you (and many more with the same sentiment) more comfortable? We are thinking of writing a blog post of what happens in the background would that help? Any other ideas?
You should not be collecting peoples' usernames and passwords, being a software engineer aware of the consequences, regardless of whether users are willing to give them up.
There are so many things that can go wrong, even if you've got the best of intentions.
Looks nice, but it just feels a bit weird to enter your amazon password with linked credit cards and bank accounts on another site. I'm aware that there's probably no better way of accessing that purchase history data but it's just something people are preaching for years shouldn't be done.
Agreed. However, even with your credentials, we wouldn't be able to access your credit card number (Amazon hides it). Additionally, if we would want to order anything in your name, but our address, we would have to reconfirm the credit card number, which we don't have.
I am really sorry to hear that. We've experienced that once or twice before. This happens when the phone number associated with the account doesn't match the one you entered. Unfortunately, Amazon sometimes asks for an old phone number, as long as that number has at one point been associated with your account. ShelfFlip definitely doesn't do anything scammy.
What about going the "TripIt" route and let people forward their email receipts? You could parse and let people populate their accounts that way. I think you can even request old receipts for ones you've deleted.
Unfortunately I agree with everyone else and I was immediately wary when it asked me for my amazon credentials. There must be a better way to get this information.
Also these prices make no sense for when I search items directly. How can a flawless Nexus 7 2013 be worth only $70? Where can I buy them all?
> How can a flawless Nexus 7 2013 be worth only $70? Where can I buy them all?
It's worth $70 to them. They are buying to resell, and they can pay a lower price for the convenience of getting the item from your house and paying you instantly.
One can always sell it on eBay/craigslist and get a bigger price, but you'll have to deal with buyers, scammers, shipping, etc. It boils down to how much your time is worth and/or how fast you need the money.
I had a bad feeling as soon as I saw the "Let's find out button". When my fears were confirmed, I immediately closed the tab.
You HAVE to find a better way to do this. People are becoming increasingly aware of the risks of this kind of behavior on malicious sites, and potential users will walk away out of paranoia.
I don't feel comfortable giving my amazon login credentials like a lot of people here. I think Unioncy (https://unioncy.com/) has an interesting solution to this. They parse your emails for amazon receipts to figure out your amazon purchases.
Not only would I echo the "give a website my Amazon creds" argument, but what if I want to sell things I haven't bought from Amazon and/or (like me) you don't really buy things on Amazon?
I have lots of things I would like to sell and declutter, but none of them are from Amazon.
You can also sell products that you haven't bought on Amazon - if we show a price, then we are buying it (you can search for books / electronics here: www.shelfFlip.com/search.php).
I can't believe anyone would put their Amazon password into a third-party site. I clicked on the link, started through the login funnel, realized what I was about to do, and stopped.
When I got the "Are you sure?" message, I started thinking that the site was specifically crafted to show how easy it is to get people to give passwords to a "reputable-looking" third party.
I expected to get some sort of congratulatory message after saying no, like "You're smart enough to not give us your password!" When I didn't get that, I came back to the HN comments, expecting to see an explanation from OP about this proof of concept.
Then I see it's supposed to be a real site. Well then.
The simple login prompt for a different site is terrifying. Even if you can be trusted today, are you sure you won't hire an employee tomorrow who will sell all those passwords for fun and profit?
Asking me to enter my Amazon username and password makes this a complete non-starter. Might be the best idea in the world, but I'm not going to risk handing over my credentials for something as sensitive as my Amazon account to make a few extra bucks on some old stuff. There's just not enough risk-reward there for me (though with all due respect and in all honesty, it's unlikely there would ever be enough reason for me to hand over my credentials to some random startup)
I'm curious about the algorithm. Is there a ceiling for book prices? I seemed to get very similar results for multiple different types of books, including being offered $3.21 for one that sells for $100:http://www.amazon.com/gp/aw/d/0575066601?pc_redir=1405401886...
There is no ceiling in place (I need to look into why different books show similar results). For the mentioned book, there's a difference between for how much it is offered and for how much it is bought (if someone wants $100, it doesn't mean that anyone is buying it for that price)
Scanning 44 other book-buying sites, only 3 are buying that book and the price is between $0.12 and $3.97
Great idea. We have that actually implemented, but are currently not displaying it. Unfortunately people are even less likely to give a website access to their emails, since this often means giving access to pretty much everything (through "I forgot my password" emails)
Great idea! I'm guessing you're checking the resale price on Amazon, and giving a price based on that?
I got frustrated with the process of listing / selling items on Amazon (I imagine a lot of it could be automated), and looked around for a service like this (and then added it to my 'side-project' idea list).
[+] [-] martingordon|11 years ago|reply
For some reason, the "Norton Secured" badge makes me less likely to trust the site and looking at the inline, not very well written Javascript gives me even less confident that the guys behind this site have the technical chops to keep my data secure.
[+] [-] jggonz|11 years ago|reply
A possible solution:
There's a "Login with Amazon" service that may be what the developer needs to be using: http://login.amazon.com/
[+] [-] jflowers45|11 years ago|reply
[+] [-] jngreenlee|11 years ago|reply
<form id="add_products_form" name="add_products_form" onsubmit="connect_amazon2(); return false;" method="post" enctype="multipart/form-data" _lpchecked="1">
[+] [-] ElComradio|11 years ago|reply
disc: not implying you would disagree with any of the above.
[+] [-] bambax|11 years ago|reply
As well as on Amazon's logs, which aren't meant to hold customers' passwords. This is bad, bad, bad (interesting idea though).
[+] [-] ChristianKletzl|11 years ago|reply
[+] [-] bearbin|11 years ago|reply
[+] [-] pdabbadabba|11 years ago|reply
[+] [-] melvinmt|11 years ago|reply
[+] [-] canvia|11 years ago|reply
[+] [-] ChristianKletzl|11 years ago|reply
[+] [-] gnu8|11 years ago|reply
[+] [-] pnathan|11 years ago|reply
[+] [-] schrodinger|11 years ago|reply
You should not be collecting peoples' usernames and passwords, being a software engineer aware of the consequences, regardless of whether users are willing to give them up.
There are so many things that can go wrong, even if you've got the best of intentions.
[+] [-] dewey|11 years ago|reply
[+] [-] ChristianKletzl|11 years ago|reply
[+] [-] silentbob46|11 years ago|reply
[+] [-] ChristianKletzl|11 years ago|reply
[+] [-] billsinc|11 years ago|reply
[+] [-] JadoJodo|11 years ago|reply
[+] [-] izzydata|11 years ago|reply
Also these prices make no sense for when I search items directly. How can a flawless Nexus 7 2013 be worth only $70? Where can I buy them all?
[+] [-] slig|11 years ago|reply
It's worth $70 to them. They are buying to resell, and they can pay a lower price for the convenience of getting the item from your house and paying you instantly.
One can always sell it on eBay/craigslist and get a bigger price, but you'll have to deal with buyers, scammers, shipping, etc. It boils down to how much your time is worth and/or how fast you need the money.
[+] [-] azurelogic|11 years ago|reply
You HAVE to find a better way to do this. People are becoming increasingly aware of the risks of this kind of behavior on malicious sites, and potential users will walk away out of paranoia.
It's a great idea, if you can find another way.
[+] [-] cnaut|11 years ago|reply
[+] [-] thekevan|11 years ago|reply
I have lots of things I would like to sell and declutter, but none of them are from Amazon.
[+] [-] ChristianKletzl|11 years ago|reply
[+] [-] SethKinast|11 years ago|reply
When I got the "Are you sure?" message, I started thinking that the site was specifically crafted to show how easy it is to get people to give passwords to a "reputable-looking" third party.
I expected to get some sort of congratulatory message after saying no, like "You're smart enough to not give us your password!" When I didn't get that, I came back to the HN comments, expecting to see an explanation from OP about this proof of concept.
Then I see it's supposed to be a real site. Well then.
[+] [-] Practicality|11 years ago|reply
[+] [-] elyrly|11 years ago|reply
[+] [-] ChristianKletzl|11 years ago|reply
@everyone: Want us to email you as soon as we have a password-free way to import your purchases? (for example through csv import)
Shoot me an email to [email protected] (subject: "shelfflip passwordfree")
[+] [-] schrodinger|11 years ago|reply
[+] [-] meraku|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] donall|11 years ago|reply
[+] [-] ChristianKletzl|11 years ago|reply
Scanning 44 other book-buying sites, only 3 are buying that book and the price is between $0.12 and $3.97
[+] [-] balor123|11 years ago|reply
[+] [-] ChristianKletzl|11 years ago|reply
[+] [-] loumf|11 years ago|reply
http://www.amazon.com/gp/help/customer/display.html?nodeId=2...
I know it puts some burden on the customer, but as a fallback, it's better than losing them.
[+] [-] WWKong|11 years ago|reply
[+] [-] xur17|11 years ago|reply
I got frustrated with the process of listing / selling items on Amazon (I imagine a lot of it could be automated), and looked around for a service like this (and then added it to my 'side-project' idea list).
I'll give it a shot next time I get rid of stuff.