> I resisted the temptation to use the exploit to send myself a million dollars worth of free Amazon gift cards
Sorry, but that's not how Amazon's "Buy It Now" option works. It sends the item to the default address on file. So it would not be possible for the clickjacker to get it mailed to their own address.
You can send a gift card to an email address that you specify. I can't seem to do it now, but I remember being able to pre-populate the email address using a GET variable:
Yes, but even better, you could list your own products on Amazon and get paid whatever amount you want. Of course, there's no way to stop the email receipts from Amazon, but you might be able to get away with it for short period of time.
Sorry, but that's not how Amazon's "Buy It Now" option works. It sends the item to the default address on file. So it would not be possible for the clickjacker to get it mailed to their own address.