For the longest time now I've been bugged by the fact that Amazon continues to label the 4 year old web browser on the Kindle experimental, but after today's news I can see that it is still an experiment.
A German security firm has just posted a proof of concept hack which exploits a security hole in the web browser on the Kindle Touch.
The security hole was identified about 3 months ago over on MobileRead. It seems that the latest update to the Kindle Touch added a new plugin for the web browser.
It's a NPAPI plugin, and you actually have a variation of it running in your web browser right now. Ever open a PDF in the browser? That's one kind of NPAPI plugin, but in the case of the Kindle Touch the plugin is set to look for commands embedded in webpages and then execute them on the Kindle Touch.
Okay that doesn't sound like much, but it turns out that the plugin can execute the commands with admin or root privileges on the Kindle Touch. For example, if a hacker embedded the right commands in a webpage, they could erase your Kindle. There's also a chance that the hacker might be able to get at the credentials for your Amazon account.
This is something of a concern, but I wouldn't get too worried. So far it doesn't seem that very many people have noticed the hole. There's a browser-based reports that Amazon is working on a patch which will close the hole.that exploits it, but that's about it. And there are
At worst you'll end up reporting fraud on your account. It's a pain, but not the end of the world. Still, I'd give up on any potentially unsafe web browsing for the time being, just to be safe.
So apparently Amazon's definition of experimental involves using all of us as guinea pigs. Hey, Amazon, take this experimenter back to the lab, would ya?