• AnyStream is having some DRM issues currently, Netflix is not available in HD for the time being.
    Situations like this will always happen with AnyStream: streaming providers are continuously improving their countermeasures while we try to catch up, it's an ongoing cat-and-mouse game. Please be patient and don't flood our support or forum with requests, we are working on it 24/7 to get it resolved. Thank you.

Discussion Same creds for Amazon Shopping and Prime Video. I'm a bit reluctant to share my Amazon UID/PW with Redfox :-(

Status
Not open for further replies.
dvd4fun

dvd4fun

Well-Known Member
Thread Starter
Joined
Jun 24, 2013
Messages
145
Likes
7
As far as Netflix is concerned, it's only a streaming service.
But Amazon... They use the same creds for shopping and vids.

What can you guys say to confort me. Am I sharing my Amazon creds with Redfox?
 
dvd4fun said:
As far as Netflix is concerned, it's only a streaming service.
But Amazon... They use the same creds for shopping and vids.

What can you guys say to confort me. Am I sharing my Amazon creds with Redfox?
Click to expand...
Hello @dvd4fun,

For Amazon you can activate 2FA in your Amazon account.

2FA = Two-Step Verification is a feature that adds an extra layer of security to your account log-in.


When you try to log in, Two-Step Verification sends you a unique security code. When you sign up for Two-Step Verification, you can choose to receive the security code by text message or authenticator app.

You need to enter both the code and your password to log in.

To enable Two-Step Verification:
In Your Account, select Login & security.
Select Edit beside Two-Step Verification (2SV) Settings.
Select Get Started.
Follow the on-screen instructions.
 
I recommend logging out in Anystream first before you activate it in Amazon.
After its active, log in again.
 
If I had the choice I would give Redfox my info LONG before Amazon. Your concern in general is absolutely valid but Redfox should not be the one you worry about most.

Functionally, I have not seen AS or any Redfox product communicate with anything outside of updates or the AnyDVD OPD. And you may think, how would I know? Trust me I would know. I block more at home then I do at work. I have to allow through the Redfox servers specifically for it to function. I won't tell you I am 100% on that but I will tell you as often as I look I do not see any evidence of what you are concerned about.
 
tectpro said:
I recommend logging out in Anystream first before you activate it in Amazon.
After its active, log in again.
Click to expand...
Sorry for asking, but I don't understand what this will achieve.
 
dvd4fun said:
Sorry for asking, but I don't understand what this will achieve.
Click to expand...
Even if somebody gets your Amz login credentials, he/she would also need to get access to your 2nd authentication factor (be that an app on your smartphone or a one-time-code sent to your email address) to execute any critical actions like payments and such.
 
cartman0208 said:
Even if somebody gets your Amz login credentials, he/she would also need to get access to your 2nd authentication factor (be that an app on your smartphone or a one-time-code sent to your email address) to execute any critical actions like payments and such.
Click to expand...
Two factor makes it difficult to get someone's account when the credentials are known but it is not at all impossible. Sometimes the platforms themselves are the weak point through unintended bugs or their support getting socially engineered.

The takeaway is always guard all of it as best you can. But again, Redfox is not the one here to worry about. Amazon is mining data almost as much as Google.
 
cartman0208 said:
Even if somebody gets your Amz login credentials, he/she would also need to get access to your 2nd authentication factor (be that an app on your smartphone or a one-time-code sent to your email address) to execute any critical actions like payments and such.
Click to expand...
I know exactly what 2FA is, I just didn't see what "I recommend logging out in Anystream first before you activate it in Amazon. After its active, log in again." had to do with it.
 
DQ said:
Two factor makes it difficult to get someone's account when the credentials are known but it is not at all impossible. Sometimes the platforms themselves are the weak point through unintended bugs or their support getting socially engineered.

The takeaway is always guard all of it as best you can. But again, Redfox is not the one here to worry about. Amazon is mining data almost as much as Google.
Click to expand...
That was not the point. Any service provider is vulnerable to attacks or plain human nature.

"The takeaway is always guard all of it as best you can."
Exactly, introducing a MIM such as AS wouldn't qualify as best practice. And as I started with. Getting my Netflix account compromised. meh.
Getting my Amazon account compromised is a bit more worrisome. Best mitigation would be if Amazon was not such a dick and allow separate creds. Also as already mentioned here. 2FA is a fair mitigation.
 
dvd4fun said:
That was not the point. Any service provider is vulnerable to attacks or plain human nature.

"The takeaway is always guard all of it as best you can."
Exactly, introducing a MIM such as AS wouldn't qualify as best practice. And as I started with. Getting my Netflix account compromised. meh.
Getting my Amazon account compromised is a bit more worrisome. Best mitigation would be if Amazon was not such a dick and allow separate creds. Also as already mentioned here. 2FA is a fair mitigation.
Click to expand...
I know it wasn't but I was replying to cartman0208 in that particular case.

AS is not a main in the middle in my view. It's no different than you accessing Amazon from your browser because technically speaking (to my understanding) that's all it is doing. It just scrapes the URL for the download and gives you a button to press.
 
DQ said:
I know it wasn't but I was replying to cartman0208 in that particular case.

AS is not a main in the middle in my view. It's no different than you accessing Amazon from your browser because technically speaking (to my understanding) that's all it is doing. It just scrapes the URL for the download and gives you a button to press.
Click to expand...
I stand corrected, AS act as a client and doesn't intercept anything you are right. I just hope AS use good cryptography measures to protect the creds.
 
dvd4fun said:
Sorry for asking, but I don't understand what this will achieve.
Click to expand...
I recommended it because I noticed for me that in the past when I activated 2FA,
I had to logout and login in AS.
 
dvd4fun said:
I stand corrected, AS act as a client and doesn't intercept anything you are right. I just hope AS use good cryptography measures to protect the creds.
Click to expand...
I don't think AS saves any credentials. The browser they use for Amazon is some slimmed down version of chromium. The others I don't know but they probably all work like any other browser where once you authenticate you get a cookie or session key to auto authenticate next time. So while I am no developer I doubt there are any credentials being saved beyond what happens with any other browser. And in either case that is being stored on your PC. Again, no different than any other browser you might use.
 
DQ said:
I don't think AS saves any credentials. The browser they use for Amazon is some slimmed down version of chromium. The others I don't know but they probably all work like any other browser where once you authenticate you get a cookie or session key to auto authenticate next time. So while I am no developer I doubt there are any credentials being saved beyond what happens with any other browser. And in either case that is being stored on your PC. Again, no different than any other browser you might use.
Click to expand...
My memory is Goldfish like these days. But I kind of remember they store the creds in the registry.
 
dvd4fun said:
My memory is Goldfish like these days. But I kind of remember they store the creds in the registry.
Click to expand...
I have never heard that. It really would not make sense for that to be the case given how authentication works most of the time with online platforms. Ultimately there is just no need for it. When you log into Netflix, Amazon or whomever you are using that actual site and that is where the auth happens and where you get a token or a session key. AS I don't believe is providing it, it is just as vehicle for it like any other browser in my summation.
 
Some information to authenticate AS to a provider has to be saved somewhere ... and that is done encrypted in your registry on your computer...
 
Last edited:
dvd4fun said:
As far as Netflix is concerned, it's only a streaming service.
But Amazon... They use the same creds for shopping and vids.

What can you guys say to confort me. Am I sharing my Amazon creds with Redfox?
Click to expand...
Some more technical info to clarify how this works:
Your actual credentials are stored absolutely nowhere.
All that is stored, are session cookies and similar information pertaining to the login session you created, when logging in.

In case of Amazon, AnyStream provides a browser through which you log in. When the login was successful, a session cookie is created (well, a bit more than that, but in principle, that's it) and the browser stores that session information on your local HDD. From then on, AnyStream only needs this session, it doesn't require your credentials, ever.

So... your credentials are never stored, they are only ever shared between you and Amazon. AnyStream's browser "forgets" them, the second you logged in.
 
Pete said:
Some more technical info to clarify how this works:
Your actual credentials are stored absolutely nowhere.
All that is stored, are session cookies and similar information pertaining to the login session you created, when logging in.

In case of Amazon, AnyStream provides a browser through which you log in. When the login was successful, a session cookie is created (well, a bit more than that, but in principle, that's it) and the browser stores that session information on your local HDD. From then on, AnyStream only needs this session, it doesn't require your credentials, ever.

So... your credentials are never stored, they are only ever shared between you and Amazon. AnyStream's browser "forgets" them, the second you logged in.
Click to expand...
I like that! Thank you so much for taking the time to explain this.

After I logged in. I got an email notification from both Amazon and Netflix that a new device was used to connect. I'd like to think they've implemented some measures to tie the stored token to the device in order to prevent unauthorized replay.
 
cartman0208 said:
Some information to authenticate AS to a provider has to be saved somewhere ... and that is done encrypted in your registry on your computer...
Click to expand...
I found where I've read they were stored in the registry :) It was in one of you previous posts.

forum.redfox.bz

Question - Safe to enter Amazon password

The trial wants me to log into my Amazon account on a page within your app - what are the security implications of that? Does RedFox see or retain the account details? Does the software have access to make purchases on the account once logged in? Thanks for any clarification you can offer
forum.redfox.bz forum.redfox.bz

cartman0208 said:
Yes, AnyStream has to cache your credentials in order to not have you log in every time you start the application.
BUT the credentials are saved on your computer in the Registry:
Code: 
Computer\HKEY_CURRENT_USER\Software\RedFox\AnyStream\Media\prime
If you empty the Data-field there, you will have to log in again.

From what I gathered Redfox has no interest in gathering your credentials and I never saw an indication that they did.

Of course the above test does not mean your credentials could not have been copied elsewhere ... but without a bit of trust ... why do you even use the internet?
Click to expand...
 
Status
Not open for further replies.
Back
Top