The feud between book lovers about paper and electronic devices is constantly growing. If you are among the ones preferring to enjoy their read on a mobile device, you should be a bit more careful.
Kindle Ebooks Injected with Malicious Code Allow Hackers to Access Amazon Accounts
Apparently there is a new bug attached to e-books that is able to compromise user’s Amazon accounts. A malware researcher has found a security hole on Amazon’s webpage, in the “Manage Your Kindle” page that supplies hackers with the user’s credentials. This occurs when the user uploads a malicious e-book to his account and moves it through Amazon’s system in order to store it on his device.
With The Send to Kindle, plugin users can send personal documents or e-books from Amazon to Kindle. The e-books usually end up archived in the Kindle Library and users can download them on to their devices (Kindle, mobile devices using the Kindle application, etc.) at any moment.
In case, one of these e-books on the user’s device is hacked, and the script gets included in the title, the user’s account in Amazon and all the contained data will be in trouble. Once the compromised e-book that was added to the library is opened, the malicious code is executed. Hackers then gain full access to the Amazon related cookies and can assume control of the account.
The Comeback of the Bug
The bug was first discovered almost a year ago by the researcher Benjamin Mussler. The problem was fixed then, but apparently the bug has made a comeback into the newest version of “Manage Your Kindle” page.
The initial Proof of Concept about this vulnerability was a MOBI e-book that contained a malicious code that collected cookies and has sent them to the researcher. Even though the researcher alerted Amazon about the issue, their Information Security team kept using the same PoC for a few months after the vulnerability was managed. Even more astonishing is the fact that the same vulnerability was included in the new version of the “Manage your Kindle” app.
The researcher informs that the issue did not affect only Amazon. Reportedly Calibre had the same bug a year ago, but it seems to be fixed right now.