Congrats, my book is now in your Amazon shopping cart!

Posted on November 7, 2007

I've been a computer programmer for quite some time now, but I've never actually been to a programming conference of any sort. That has changed now that I'm attending the DC PHP Conference on Nov. 7-9. The first day of events went about as I expected, considering that there's a lot I need to learn about the tools I use at my current job.

And to top it off, the first speaker, PHP and web application security expert Chris Shiflett, talked about an bug that is easy to exploit. It's a pretty simple one: without doing a thing, you can add a book to someone's Amazon shopping cart.

You don't believe me, do you? Assuming you have an Amazon account, go check your shopping cart. It's a pretty safe bet that you will see "The Developers" in your cart. I bet you're wondering how I did it? Well, I guess you'll have to go to the conference to find out ... maybe next year.

The funny thing is that Shiflett noticed this error more than a year ago and contacted Amazon about it immediately. They chose not to fix it, so he decided to post it on his website. Even still, the company hasn't fixed the issue, as evidence by the script on this page that adds my book to your shopping cart.

This should teach you two important lessons. First, if you shop online, make sure you check your shopping cart before checking out. Secondly, some companies don't care as much about programming concerns as they should. Pretty sad, but I'm guessing Amazon assumes that if someone wants to exploit the problem, the company will profit, as it will be an additional sale.

And trust me, Amazon makes a lot more off you buying my book than I do. But I like trying new ways to sell books.