Security Hole Found in Kindle Touch Web Browser

For the longest time now I've been bugged by the fact that Amazon continues to label the 4 year old web browser on the Kindle experimental, but after today's news I can see that  it is still an experiment. A German security firm has just posted a proof of concept hack which exploits a security hole in the web browser on the Kindle Touch.

The security hole was identified about 3 months ago over on MobileRead. It seems that the latest update to the Kindle Touch added a new plugin for the web browser.

It's a NPAPI plugin, and you actually have a variation of it running in your web browser right now. Ever open a PDF in the browser? That's one kind of NPAPI plugin, but in the case of the Kindle Touch the plugin is set to look for commands embedded in webpages and then execute them on the Kindle Touch.

Okay that doesn't sound like much, but it turns out that the plugin can execute the commands with admin or root privileges on the Kindle Touch. For example, if a hacker embedded the right commands in a webpage, they could erase your Kindle. There's also a chance that the hacker might be able to get at the credentials for your Amazon account.

This is something of a concern, but I wouldn't get too worried. So far it doesn't seem that very many people have noticed the hole. There's a browser-based jailbreak that exploits it, but that's about it. And there are reports that Amazon is working on a patch which will close the hole.

At worst you'll end up reporting fraud on your account. It's a pain, but not the end of the world. Still, I'd give up on any potentially unsafe web browsing for the time being, just to be safe.

So apparently Amazon's definition of experimental involves using all of us as guinea pigs. Hey, Amazon, take this experimenter back to the lab, would ya?


About Nate Hoffelder (11473 Articles)
Nate Hoffelder is the founder and editor of The Digital Reader: "I've been into reading ebooks since forever, but I only got my first ereader in July 2007. Everything quickly spiraled out of control from there. Before I started this blog in January 2010 I covered ebooks, ebook readers, and digital publishing for about 2 years as a part of MobileRead Forums. It's a great community, and being a member is a joy. But I thought I could make something out of how I covered the news for MobileRead, so I started this blog."

1 Trackbacks & Pingbacks

  1. probleme de securitate in firmware 5.1.0 kindle touch |

Leave a comment

Your email address will not be published.