Amazon gift registries are a treasure trove of personally identifiable information, and due to some glaring security flaws, one that needs no keys, experts have warned.
Findings from The Intercept found anyone is able use these registries to find out all kinds of sensitive information about people around the world, living - and even those that are yet to come to this world.
The Intercept says the data Amazon gathers through its wedding, birthdays, new babies, and other registries, is available to anyone who knows where to look, given that the default visibility settings are preset to public.
For a wedding registry, for example, the company takes the first and last names of both partners, the wedding date, the number of guests attending, and a mailing address.
Not only is this data then set to public, but it’s also automatically sent to The Knot service. For baby registries, on the other hand, Amazon takes first and last names, expected due dates, whether the baby is the parents’ first child, and a mailing address.
Visibility settings are the same as for wedding registries, with the exception that the data does not go to The Knot, but rather to The Bump, What to Expect, and Baby Center.
All in all, there’s plenty of data here for a solid identity theft campaign - and there’s something particularly sinister about this given that crooks can easily obtain identity details of dead children and use them to launch various cybercrime campaigns.
While at first glance, only the data from 2020 onward is available, the actual situation is far worse. Just by playing a little with Amazon’s search engine can bring back the results as far as from 2004.
While Amazon does give users the option to delete the registries, some people never do.
TechRadar Pro has contacted Amazon for comment.
- These are the best firewalls out there at the moment
Via: The Intercept