Most internet users know that illegally downloading movies and music can be a dangerous and a way to get viruses, malwares & spywares on your computer, but now hackers can also exploit the pirated ebooks. If you came across a Kindle e-book download link from any suspicious sources or somewhere other than Amazon itself, check twice before you proceed. As downloading an pirated eBook could put your personal information & Amazon account credentials at risk.
Benjamin Daniel Mussler an German security researcher has discovered a security loophole in Amazon’s Kindle Library that could lead to cross-site scripting (XSS) attacks and lets hackers hide malicious code in a book’s metadata that can compromises account data when you upload a malicious pirated ebook.
Gaining access to your Amazon account credentials is one of the biggest boons for hackers, as they can set-up new credit cards in your account or max out the current ones on file with some big Amazon purchases. Additionally, they could compromise your other online accounts with the help of those credentials and personal information contained in your Amazon account.
Flaw was Fixed & Re-Introduced Again
The vulnerability was originally discovered by German security researcher Benjamin Daniel Mussler in October last year and was subsequently patched by the company in December. However, the vulnerability was re-introduced after an update and has been active since at least July this year, despite being reported by Mr Mussler to Amazon’s security team. After hearing no reply from the company for several months, he decided to go public with the flaw.
The Kindle flaw gives hackers access to Amazon accounts by stealing their browsing credentials (the cookie saved by your computer that tells Amazon’s website that you’re you) As a result, your Amazon account can be compromised which could potentially expose users’ personal addresses, Credit details and order history as well.
“Malicious code can be injected via ebook metadata; for example, an ebook’s title,” wrote Mr Mussler on his personal blog, adding that “the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised.”
Proof Of Concept :
According to Mr Mussler, Amazon used his proof of concept attack code during its testing of the Manage your Kindle page and was surprised that an oversight suggests that the exploit is still working. But, users who stick to e-books sold and delivered by Amazon are safe.
this exploit only affects users who download pirated eBooks from other sources, so don’t worry about adding an eBook to your Amazon shopping cart any time soon.
Update: Mr Mussler told The Independent over email that he believes Amazon has now fixed the flaw.