An Epub3 eBook Could be Used to Hack Your Tablet, Steal Your Identity, and Cause the Downfall of Western Civilization
Editor’s Note: The comments have been disabled on this post due to an overwhelm,ing abundance of spam. Sorry.
Here’s a story that is a couple weeks old but seems to have gone unreported.
If you’ve been following digital publishing news then you’ve probably heard about the Publishing Hackathon. This was a contest that was held at the same time as BEA 2013. A total of 30 contestants submitted project ideas which, following the true spirit of a hackathon, were developed over the course of a weekend.
I only got a chance to look at that contest and the entries today, and I am surprised that there seems to be no commentary on the fact that one entry truly is a hack.
Eric Hellman showed off an idea that, assuming someone wanted to use it maliciously, could be used as the first step in hacking your tablet, smartphone, or ereader. That is not how Eric used the idea, and that’s not at all how he described it, but it is still one possible use.
What Eric showed off was a new way to generate an "about the author" page inside Epub3 ebooks. Rather than create a static page when the ebook is published/updated, this project created the page from scratch by pulling content from external websites and displaying that content inside the ebook. This idea only worked in the Readium Epub3 reading app, and it pulled content from the Open Library and other safe places.
On a technical level this is very cool, but it should also be raising red flags.
Eric’s idea involves code being executed inside an ebook which goes to an external website, gets content, and displays it inside your ebook.
Do you see the problem?
This might sound a little paranoid, but how do you know that the external website is safe and that the content it downloaded into your ebook is not doing something nefarious behind the scenes?
You don’t know, and that’s a problem. For all we know the code inside a given ebook could lead to a site that will try to hack your ereader, tablet, or smartphone.
Update: A reader has pointed out that this security concern is mentioned in the Epub3 spec (here). Good; let’s hope developers take it seriously.
And I also know that Apple wasn’t the first to consider the possibility that an ebook might access external websites. Liza Daly of Threepress Consulting (now with Safari Books Online) was blogging about the idea as early as June 2010. Her demo involved a location-aware ebook, so it was not any threat to users, but it stands as proof of what is possible.
Are you scared yet? Good.
I’m deeply concerned that Readium has such an obvious security hole, but I also know that there is a relatively simple way to fix this issue. App developers are going to need to either block external connections or at the very least they will need to make it optional and include popup warning messages.
This reminds me of an old trope about ebooks which is becoming more true as time goes by.
eBooks have often been described as web content wrapped into a file, and while that analogy doesn’t quite work with the simpler ebook formats when it comes to Epub3 it is almost literally true.
Readers are going to need to be careful where they download ebooks, and more importantly reading app developers are going to need to start thinking about how their apps can behave like the security firewalls found on most computers.
Reading apps are going to have the first responsibility of controlling malicious ebooks. If nothing else they will get the blame should something bad happen, and that is why I think the developers should start planning for the worst.
image by walknboston