CSRF: Place Arbitrary Items in a Victim's Amazon Shopping Cart

I submitted this issue to the Amazon Vulnerability Research Program via hackerone.com but they rejected it due to what they referred to as "minimal impact". I believe this is a medium severity vulnerability which could be abused by sellers to trick victims into purchasing their product. Since I believe it should be patched, I'm posting here.

The attack is a simple CSRF. The attacker convinces the victim to navigate to a crafted URL which causes an item (and quantity) of the attacker's choice to be placed in the victim's amazon.com shopping cart. Most users would then be presented with a checkout page which requires confirmation. The most likely action the user who doesn't want to purchase the product would take at this point is to simply navigate away. However, after navigating away, the item remains in their shopping cart. If the account is new and does not have a shipping/payment method, the user is not presented with a checkout page that shows the item, and is only prompted with a page to enter shipping/payment information. In this case, it's not at all apparent that an item was placed in the user's cart and they will likely navigate away without knowing what happened. In both cases, it is possible that next time a user goes to check out, they may not notice the items which were placed in their cart via the CSRF attack (especially if they are a high volume buyer with numerous items in their cart). This could result in a user buying a product they did not want.

This of course is only a medium severity issue, but I believe it could be abused by Amazon sellers to market more intrusively and aggressively. It goes without saying that one should always double check one's shopping cart before finalizing a purchase, but it also shouldn't be possible for an attacker to manipulate a victim's shopping cart via CSRF.  Below is a PoC CSRF URL. The value of the asin and quantity parameters can be set arbitrarily by the attacker. Warning: If you are logged into amazon.com, visiting this URL will place items in your shopping cart:

https://www.amazon.com/gp/checkoutportal/enter-checkout.html/ref=pd_bap_d_rp_bn_8?asin=B00005BZKD&buyNow=1&quantity=3

By the way, I discovered this vulnerability while inspecting the "buy now" feature. I clicked "buy now" on an item and inspected the resulting traffic using Burp Suite. I wasn't able to perform a CSRF attack to cause a user to "buy now" but I did happen upon this URL of interest.