|Submitted by mikeperry on Thu, 09/25/2008 - 06:46|
About 3 weeks ago, I sent a preliminary copy of the CookieMonster tool to an Amazon employee who requested it after I announced they were vulnerable, and that it was available for testing/proof. I was glad he contacted me, because I was having a really hard time contacting their security team (all their security pages are FAQs on phishing, and their security alias returns a bounce saying not to trust any mail that comes from it!).
He didn't mention anything in specific or even claim to officially represent Amazon, but we did exchange a couple emails, and he seemed legitimately interested in the tool. Then, about a week or so ago, I received word via a friend of a friend that an Amazon employee had gotten some heat for requesting the tool. Since there was only one Amazon employee who bothered responding or requesting the tool at all, I decided to send him an updated copy and wish him luck on whatever happened. To my great surprise, the email bounced with a "no such user" error. The address certainly was valid when I sent him the first copy, so I'm not sure what this means. I suppose it could be coincidence: the employee could have just quit, but I suspect something fishy is going on..
I tried googling his name and alias to track him down, and had some friends check Seattle Facebook, but I came up empty handed. If you are an Amazon employee and feel like letting the public know what happened and are able to verify the status of employees (or are the employee in question!), please Download Tor to a non-work computer, use it to create a Gmail account, SET THE PREFERENCE, and email me, and I will provide you with the name and username of the user to check.
But be careful, apparently it's a jungle out there.