Industry News

Download this Kindle eBook, and have your Amazon account cookies stolen

A security researcher has reported what appears to be an embarrassing flaw on Amazon’s website that could put Kindle users at risk.

Benjamin Daniel Mussler claims that the “Manage Your Content and Devices” and “Manage Your Kindle” services on Amazon’s web-based Kindle Library are vulnerable to a cross-site scripting (XSS) attack, which can be exploited by a boobytrapped eBook title.

Anyone wanting to target a Kindle user would go about go about their attack by creating an eBook with a specially-crafted title:

<script src=”https://www.example.org/script.js”></script>

When the boobytrapped eBook is added to the intended victim’s library, the code will be automatically executed when the Kindle Library webpage is opened.

According to Mussler this means that “Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised”.

The good news is that you’re unlikely to find an eBook with a maliciously-crafted title in the official Kindle eBook store, provided Amazon keeps its eyes open. Instead, the only real chance that you might fall victim to the vulnerability is if you pirate eBooks, downloading them from dodgy sources and use Amazon’s “Send to Kindle” service to have them accessible on your reader.

The bad news, however, is that Mussler says he first reported the vulnerability to Amazon in November 2003 – along with an example eBook that ran proof-of-concept eBook that grabbed cookies and sent them to him. Amazon’s technical team managed to fix the flaw within four days. Most people would consider that a reasonable response, and a job well done… but there is more to this story.

To Mussler’s shock, the very same vulnerability was introduced approximately two months ago, and currently remains unfixed. The researcher informed Amazon that the security hole has re-emerged, but received no response from the company.

For that reason, Mussler has decided to go public with his findings and even published example code on his website that allows anyone to replicate the vulnerability.

Whether you think public disclosure of the vulnerability was the right approach or not is a matter of some debate. One thing is clear, however. Amazon needs to fix the security hole, even if it is only likely to be a risk for a small number of Kindle users, and fix it permanently.

In the meantime, Kindle users are advised to get their eBooks from official stores – just to be on the safe side…

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment
  • There’s a typo in the year Mussler says he first reported the vulnerability to Amazon. It should say 2013 not 2003.

  • Re:”Whether you think public disclosure of the vulnerability was the right approach or not is a matter of some debate.”
    It is only wrong if you view everything as flat with no sides. 2 months is more than enough time. And as I’ve pointed out before (think here), what would (you) prefer? Would you rather the company to be forced to fix it OR would you rather have someone find it (Amazon’s acting as if no one knows so it cannot be a problem… flawed logic and if that is indeed their view it is security through obscurity which is even worse) and abuse it? Keep in mind people, that online stores DO store your credit cards. Should they? No but some do (or have the option to and if you’re lazy, or it defaults to saving, …).

    Make no mistake: this is a necessary evil and otherwise the lesser evil.

    As for the issue… XSS… no comment.