Malicious Kindle Ebooks Help Hackers Access Amazon Accounts

The feud between book lovers about paper and electronic devices is constantly growing. If you are among the ones preferring to enjoy their read on a mobile device, you should be a bit more careful.

Kindle Ebooks Injected with Malicious Code Allow Hackers to Access Amazon Accounts

Apparently there is a new bug attached to e-books that is able to compromise user’s Amazon accounts. A malware researcher has found a security hole on Amazon’s webpage, in the “Manage Your Kindle” page that supplies hackers with the user’s credentials. This occurs when the user uploads a malicious e-book to his account and moves it through Amazon’s system in order to store it on his device.


With The Send to Kindle, plugin users can send personal documents or e-books from Amazon to Kindle. The e-books usually end up archived in the Kindle Library and users can download them on to their devices (Kindle, mobile devices using the Kindle application, etc.) at any moment.

In case, one of these e-books on the user’s device is hacked, and the script gets included in the title, the user’s account in Amazon and all the contained data will be in trouble. Once the compromised e-book that was added to the library is opened, the malicious code is executed. Hackers then gain full access to the Amazon related cookies and can assume control of the account.

The Comeback of the Bug

The bug was first discovered almost a year ago by the researcher Benjamin Mussler. The problem was fixed then, but apparently the bug has made a comeback into the newest version of “Manage Your Kindle” page.

The initial Proof of Concept about this vulnerability was a MOBI e-book that contained a malicious code that collected cookies and has sent them to the researcher. Even though the researcher alerted Amazon about the issue, their Information Security team kept using the same PoC for a few months after the vulnerability was managed. Even more astonishing is the fact that the same vulnerability was included in the new version of the “Manage your Kindle” app.

The researcher informs that the issue did not affect only Amazon. Reportedly Calibre had the same bug a year ago, but it seems to be fixed right now.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share