A security researcher revealed this week that Amazon and other ebook retailers had neglected to patch a fifteen-year-old XML security flaw.
From The Register:
The similar but separate XML external entity (XXE) flaws also impact all online epub ebook services that use the popular epubcheck library that ensures good format conversions into the universal epub book format.
“[I] applied a familiar XXE pattern to exploit services and readers that consume the epub format [and exploited] vulnerabilities in EpubCheck, Adobe Digital Editions, Amazon KDP, Apple Transporter, and Google Play Book uploads,” Arendt says.
“The validator tool (EpubCheck) was vulnerable to XXE, so any application that relies on a vulnerable version to check the validity of a book would be susceptible to this type of attack.”
The named vendors have applied patches preventing the possible information disclosure and denial of service conditions.
Apple’s Transporter which ships books to the App Store was also affected.
In one instance Arendt accidentally grabbed the shadow password file for one unnamed service using the vulnerable EpubCheck library.
Google Play Books was not vulnerable to XXE but was to the XML exponential entity expansion mess, a flaw that leads to denial of service through an explosive growth of parsed data.
You can find the technical details over on the original source, a blog hosted on Github.
So what does this mean for readers?
Not much – the problems have been fixed, and the software patched.
But even if hackers had taken advantage of this security hole, the hack would have been a concern for all the customers of the affected tech company rather than just ebook users.
As Baldur Bjarnasson explained, this would have compromised that tech company’s servers. “Generally it either lets you read from the file system or from the network. Specifics depend on the victim’s setup,” he told me this morning. “The possibilities include reading sensitive data from the file system, read/attack less locked down intranet sites, DoS.”
“Worst case scenario would be if the attacker used this to acquire auth credentials like crypto keys. But the worst case scenario depends on the targeted setup being misconfigured which isn’t that likely in this case.”
image by The Preiser Project