Amazon Order History Encryption Bypass ⚓
14 May 2021The Amazon US website allows you to export your Order History easily by visiting the “Order History Reports” page. No such option seems to exist for the Amazon websites for other countries. I was trying to write a simple scraper for the Amazon India Order History Page to get the same data, and discovered something interesting: Amazon encrypts the Order history page, and decrypts it using client side cryptography1. If you were to visit the page, and check the response HTML, you’d see something like this in the source code (fairly simplified):
// Define encrypted content in JS
var payload = {
"kid": "b70014",
"iv": "/HenfXwYrGrrw8ff",
"ct": "Wt78pPcibe8HAdVtoJ8+E9EGwt4IQYNghBMubBy7Zy/..."
}
// The HTML div to be populated with the decrypted HTML
var elementId = "csd-encrypted-889C1D02..";
// if client side decryption library failed to load
if (!window.SiegeClientSideDecryption) {
window.location.href = "?disableCsd=missing-library";
return;
}
// Decrypt and populate the div
SiegeClientSideDecryption.decryptInElementWithId(
elementId, payload, {callSource: "now"}
);
The easiest way to scrape with such hurdles is often to just run a complete browser to scrape the site. The browser runs the javascript code with the decryption routine so you can scrape the actual content. However, it is much slower, and wastes CPU cycles - I try to avoid it if I can.
I could have spent time to parse the encryption routine, extract the key and decrypt the payload. But I found a much simpler solution - Amazon offers an alternate URL which disables encryption. As a fallback, in case the decryption code fails, it adds a query parameter ?disableCsd=missing-library. That disables the server side encryption entirely.
So if you’re trying to scrape Amazon and stumped at the missing order history in the HTML, try visiting the following URLs instead:
- https://www.amazon.in/gp/css/order-history?disableCsd=missing-library
- https://www.amazon.co.uk/gp/css/order-history?disableCsd=missing-library
- https://www.amazon.com/gp/css/order-history?disableCsd=missing-library
Amazon also sets a cookie csd-key=disabled but I didn’t experiment with that much.
Request My Data
Another alternative to scraping is to request Amazon for your data. Check the Retail.OrderHistory CSV files in the data export. The export from amazon.com includes data for other countries as well. The feature is also available on other Amazon sites:
- Amazon US - Request My Data
- Amazon India - Request My Data
- Amazon UK - Request My Data
- Amazon Germany - Request My Data
Published on May 14, 2021