Goodreads - sex spam attack vector?
Goodreads is an Amazon-owned site to track and review books. Recently I got propositioned for sex there.
This totally caught me by surprise. My use of the site is passive - with my Kindle, books get marked in Goodreads as I start reading and when I finish.
Then this email arrives to suggest a different type of finishing.
As an appsec guy, it’s hard — err difficult — not to find this interesting.
We can infer that there’s ineffective or non-existent controls against botting on this Amazon-affiliated site.
We can infer that the input validation for usernames is super liberal.
We can infer there are social features that may be little-known to most Goodreads members — making this an excellent means of popping an email to them.
Honestly this is a great spam vector and not even being used to its potential here.
What does my reading history look like?
It’s not that spicy. There’s no erotica. But you might find people that do have that and target your spammy campaigns appropriately.
More to the point, “e-whoring” as popularized by HackForums.net could prove quite successful. Just a guess.
Watch yourselves out there in this sex-crazed world. Not even Goodreads is safe from heathens.
Randy Gingeleski - GitHub - gingeleski.com - LinkedIn