XSS Flaw Burns a Hole in Kindle Security

Amazon may be red-faced about a security flaw in the Kindle library that it fixed once, then reintroduced in a later version, but the company so far has been silent on the issue. Though the threat level appears to be low at this point, Amazon's lack of attention to it could be troublesome. This "makes it look like they don't take security seriously," said tech analyst Rob Enderle.

Security consultant Benjamin Mussler last week warned that the Kindle e-book library had a cross-site scripting vulnerability.

It appears Amazon previously had fixed the XSS flaw but two months ago reintroduced it in a new version of the “Manage Your Kindle” Web application, according to Mussler.

Mussler first reported the XSS vulnerability to Amazon last November, and it was fixed. However, Amazon’s IT staff continued to use his proof of concept on internal preproduction systems for months afterward, he claimed.

“This made it even more surprising that, when rolling out a new version of the ‘Manage Your Kindle’ Web application, Amazon reintroduced this very vulnerability,” Mussler said.

Honesty Is the Best Policy

People who download pirated e-books are at greatest risk, according to Mussler.

“The biggest problem is reserved for those grabbing files from freebie download sites they haven’t heard of, or random torrents,” Chris Boyd, malware intelligence analyst at Malwarebytes, told TechNewsWorld.

This is generally true for downloads from random sources.

The Kindle Flaw

The XSS flaw lets hackers inject malicious code into a victim’s account through e-book metadata such as an e-book’s title, Mussler wrote.

The code will execute as soon as the victim opens the Kindle Library Web page after downloading a poisoned e-book.

Hackers can access and steal the victim’s Amazon account cookies, Mussler said.

Users who stick to e-books from Amazon’s store should be safe.

A Storm in a Teacup?

“On a scale of 1 to 10, with 10 being the kind of exploit suffered by Target or TJ Maxx, this would probably rate a 2 or 3,” Charles King, principal analyst at Pund-IT, told TechNewsWorld.

Still, “no vendor likes to be seen as being unable to keep its customers’ personal information secure, whether or not it’s relatively mundane,” King pointed out.

Timing Is Everything

The real problem with the XSS scripting flaw is that Amazon “has not addressed this issue in a timely fashion,” Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.

That’s where the situation could cause Amazon grief, because that “makes it look like they don’t take security seriously, and this would raise red flags for users of Amazon Web Service,” he remarked.

If enough Kindle users are affected, this “could do material damage to Amazon’s brand,” Enderle warned.

“Kindle is an Amazon storefront and does provide the opportunity for a mass Target-scale breach,” he pointed out, “which would be very bad for Amazon, given it addressed the vulnerability [previously] and then reintroduced it.”

Amazon did not respond to our request to comment for this story.

Now Hear This!

On the heels of the news about the Kindle flaw, another problem cropped up for Amazon.

The company’s Audible audiobook service contains a vulnerability that anyone can exploit in order todownload unlimited audio books for free, Business Insider reported on Monday.

Computer science student Alan Joseph discovered that the site apparently does not authenticate credit card payments before letting visitors purchase books.

Joseph’s code reportedly let Business Insider use fake credit card information to purchase Audible’s most expensive membership program, a US$229 Platinum Annual Membership that allows buyers to download 24 books.

Amazon apparently was first made aware of the exploit in March 2013 but did not take action, according to the report.

Amazon does display a warning after trying to verify payment, but hackers apparently can get around that by renewing their membership using the same fake credit card information.

Amazon reportedly told Business Insider that the exploit was a fraud issue, not a security issue, noting that customer data was not at risk.

The customer experience was not affected by the flaw, it maintained. However, Amazon said it does take fraud seriously.

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Cybersecurity

Technewsworld Channels