A new vector for mobile-focused cyber-criminals has been uncovered in a seemingly innocuous corner: the Amazon Kindle e-reader. It turns out that a cross-site scripting (XSS) vulnerability can allow hackers to use a malicious e-book to compromise Amazon accounts.
German security researcher Benjamin Daniel Mussler originally discovered the flaw, present in Amazon's Kindle Library, also known as "Manage Your Content and Devices" and "Manage your Kindle." It turns out that hackers could hide malicious code injected via e-book metadata (for example, in an e-book's title). Once the rogue e-book is added to the victim's library, the code would be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker, opening the door to compromising the victim's Amazon account.
As ever, the users who are most likely to fall victim to this vulnerability are those who eschew the Amazon store for pirated e-books or third-party sources. In these cases, Kindle owners can use Amazon's "Send to Kindle" service to have them delivered to their Kindle.
“From the [criminal’s] point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts,” Mussler said on his blog, adding that “Users who stick to e-books sold and delivered by Amazon should be safe.”
The issue was first uncovered in November of last year, after which Amazon patched it, but the e-tailer re-opened the flaw over the summer with an update to the "Manage your Kindle" application. Since Mussler went public earlier this week, Amazon patched the flaw again.
“When I first reported this vulnerability to Amazon in November 2013, my initial Proof of Concept, a MOBI e-book with a title similar to the one mentioned above, contained code to collect cookies and send them to me,” Mussler said. “Interestingly, Amazon's Information Security team continued to use this PoC on internal preproduction systems for months after the vulnerability had been fixed. This made it even more surprising that, when rolling out a new version of the "Manage your Kindle" web application, Amazon reintroduced this very vulnerability.”
Users should update their Kindle software as soon as possible to avoid compromises.