I start every morning reading through the Google News tech and business sections, and every morning there’s a new story about something Amazon/Walmart/Target/etc. Is doing to “win” the eCommerce War. Acquisitions, same day delivery, and new merchandising programs intermingle with reports of stock rises and crashes. But with this rapid rollout of features, are the biggest retailers more concerned with their customer experience or their shareholder experience? Features are being released prematurely to “win” the battle, but without the proper consideration of how they could be misused.
Winning the War is Half the Battle
Take Walmart.com as an example. Through their Rich Content API and third party Content Service Providers, it is possible to publish anything to your owned product page. There is no moderation, review, or sanitation of the content. Even if they were to add moderation or review to the program, at this time all videos and images are hosted by the content provider and not through Walmart’s own Content Distribution Network. So you could get an initial image approved through review, and then substitute it with something less appropriate where the file itself is hosted. It would be fairly simple to add tracking pixels to the page that would track visitors across domains or put up inappropriate content that Walmart wouldn’t want on their site.
Less subtle would be to put a fake checkout form within the section. While it isn’t likely many people would fall for it, it could be done in a way that mimics Amazon’s One Click Checkout. With the increasing adoption of online shopping by less tech-savvy generations, it would be pretty simple to steal credit card information in this way.
Customers First, Innovation Second
I am as far from resistant to change as there can be. That said I am not a hacker and I spotted these vulnerabilities in an hour. With hundreds of millions of monthly visitors, even a small and subtle exploit of this could be huge. I very much believe in the idea of good enough is better than perfect when it comes to releases in the tech sector, but they need to be done in a way that doesn’t leave consumers open to vulnerabilities. As I mentioned above simple steps like moderation and sanitization of the data could help protect the consumers they depend on, but it looks like they are more focused on moving as quickly as possible to appease investors and suppliers and create news stories.
Also published on Medium.