Rich Felker
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.
In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.
Rich Felker
The only mitigations are refraining from using public wishlists entirely (set any wishlists you may have to private) or using a PO box or reshipping service to conceal your real physical/final address.
Rich Felker
@azonenberg Previously you could select that you only accept gifts fulfilled by Amazon. They just took away that ability.
Andrew Zonenberg
@dalias was this not already possible? like i'm not sure how wishlists would work if the seller didn't know how to ship the product?
Andrew Zonenberg
@dalias (and I also hate the tendency of everything from walmart to digikey to turn into a "marketplace" lately. At one point you could buy oscilloscope software options on walmart's website because TEquipment had a storefront there)
Andrew Zonenberg
@dalias aha, ok.
I miss when amazon was a way to buy books directly from them and that was it...
Rich Felker
@erikcats @raymaccarthy I'm not sure how accepting gifts from ppl who enjoy you entertaining them is "grift".
Erik
@raymaccarthy @dalias true and even if this is how 'streamers' and 'content creators' grift, this is also used as a tool for mutual aid.
Ray McCarthy
@dalias
Never make a "wishlist" public, or share it.
Gavin
@Ragashingo @dalias that's what they're taking away, as I understand it. So I think it's the case _now_, it will shortly _not_ be the case.
So if you're lucky, you can now get the same thing from a third-party seller. If you're mid-lucky, you can get something passing itself off as the same listing from a third-party scammer. If you're unlucky, your address gets leaked to a third-party stalker.
Clearly I wasn't the only person who read that mail this morning and thought "oh no".
Ragashingo
@dalias I would have expected that wish listing something would mark that exact product from that exact seller as the thing you want. Like... I want this known authentic doodad from this known reputable seller.
Is that not the case?
Rich Felker
@_calmdowndear @Ragashingo Amazon should have been stopped in their tracks when they first allowed third parties to link their counterfeit items as just being a different seller for the same genuine item, rather than a separate product listing.
The whole last capitalist fascist hell we're in is a consequence of letting companies do things that were long-illegal and would have been prosecuted as racketeering if not for "with computers" tacked on to the business plan.
Rich Felker
@TrimTab We're not "lamenting" it. We're doing safety outreach to get information to people who might suffer real harms if they don't know about it.
TrimTab 🇺🇦
@dalias
Come on guys, we sit on mastodon lamenting the sorry state of the world, and then everyone signs into an amazon account??? If our actions are to give money to an organization that aggressively works to destroy the middle class and liberal democracies world wide, then our words are meaningless... :-/
Quoting The Disposable Heroes of Hip-Hopricy: hypocrisy is the greatest luxury....
Rich Felker
@rugk They didn't explain that "third-party sellers" means "anyone who signs up for a seller account, possibly the same person as the 'buyer' who just wants to get your address".
rugk
@dalias ah that was the mail Amazon sent. They have sent and explained that in a mail…
draNgNon
@dalias so to be clear, just setting the lists private is an immediate mitigation?
I haven't touched this feature since... apparently 2020 (and have only ordered one thing from Amazon since WaPo declined to endorse Harris and I dropped Prime like a hot potato). if I can take it private now and reconsider the existence of these lists entirely when I have more time to do so, that is better for me.
Rich Felker
@draNgNon That's my understanding.
Rich Felker
@jpkolsen It's a way for fans to compensate people whose work they appreciate who can't easily take payment. AIUI one big place this comes up, and where doxing is a huge threat, is sex work. But really for anyone doing things where there's a parasocial relationship with an audience the same applies.
Johan Pelck Olsen
@dalias I don’t understand why anyone would ever want a public wishlist, even disregarding stalkers and the like. Seriously, how is it of public interest that you’d like a new bathrobe?
Rich Felker
@rootbrian Public wishlists are for like when you have fans you want to let buy you things in place of sending money, or for wedding gifts, kids' birthday gifts, etc.
Rootbrian
@dalias Thankfully I have no wishlist. I just add items to the cart and leave 'em there indefinitely until I decide to purchase at a later date, or remove them if I don't. I rarely order anything at all online since most stores have what is commonly available.
Rich Felker
@Anneheathen That's a really good question and I have no idea. If the URL to the wishlist isn't discoverable there's probably very little threat even if it is still there, and hopefully it's not even there. In theory you should be able to contact them and request confirmation of deletion, but good luck with that... 🤬
AnneArchy Anne
@dalias anyone here know what happens if you once had an amazon account but deleted it years ago (but now discovered, via the warning email from amazon, that the wish list still apparently exists)?
Rich Felker
@jpkolsen No, more like a bunch of people watch your live streaming and want to thank you for providing them entertainment, so you have a public wishlist of things they can buy for you as part of the parasocial relationship.
Johan Pelck Olsen
@dalias so, an author you like writes a book and you post it on your wishlist as a type of micro-advertisement, is that it? I feel like the world is getting weirder quicker than I’m comfortable with….
Rich Felker
Rich Felker
@raymaccarthy @darwinwoodka The idea of a wishlist and the store letting you buy items on someone else's wishlist for them is that it's privacy-preserving for the recipient. They don't have to give their address out to people they want to be able to receive gifts from. Only the store that they already shop at and that already knows their address gets to see it.
What Amazon has done is broken that promise - the whole purpose of the wishlist system - by letting third-party sellers (to whom Amazon needs to disclose the recipient address for shipping purposes) in on wishlists. Now anyone wanting to get your address just needs to sign up as a third-party seller.
Darwin Woodka
That would be nice, but a lot of people are using them as teachers for classroom supplies now or charities using them to get donations of supplies they need.
Ray McCarthy
@darwinwoodka @dalias
They can share what they need as an item that the donor buys? No need to share an account's "wishlist".
Dr Ro Smith
@TrimTab @dalias The middle-class ableism is strong with this one. Amazon is evil, but often the only way for disabled people or people in rural areas to get affordable items without leaving the house.
Going out to a store is a luxury for those with the time and physical ability.
Postage is a disability tax.
And an Amazon wishlist has for a long time been the easiest way for people to buy things for others without them giving out their address. It is a form of mutual aid. It is not our>
Dr Ro Smith
@jpkolsen @dalias It's a form of mutual aid. As a disabled person I cannot work and can barely leave the house. it's a pretty bleak existence. A wishlist lets people who care about me buy things for me and my cat that we need or that will lift our spirits. Not everything is a grift.
Rich Felker
@Ooze It will but I'm offering up missing critical information on safety not my opinions on their life choices. And "deleting your account" is one form of "refraining from using public wishlists entirely" anyway.
Ooze 𓁟
@dalias Deleting your account will 100% solve the problem.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.