Tuesday, September 16, 2014

Kindle security flaw can be exploited by hidden codes in e-books

Source: http://www.engadget.com/2014/09/16/kindle-security-flaw-e-books/

Next time you come across a Kindle e-book link somewhere other than Amazon itself, you may want to make sure it's not some dubious website before you hit download or "Send to Kindle." A security researcher by the name of Benjamin Daniel Musser has discovered that the "Manage Your Kindle" page contains a security hole -- one that hackers can take advantage of with the help of e-books hiding malicious lines of code. Once you load the Kindle Library with a corrupted e-book (typically with a subject that includes <script src="https://www.example.org/script.js"></script>), a hacker gets access to your cookies, and, hence, your Amazon account credentials.

Based on the updates Musser wrote at the bottom of the report's web page, he first discovered the flaw in October last year. Amazon patched it up shortly after he reported it, but it made its way back after a "Manage Your Kindle" overhaul. Still, he believes the issue should be easy to avoid, so long as you don't download e-books (pirated or otherwise) from websites you don't know. Aside from Kindle, another Amazon-owned service was also thrust into the spotlight earlier for exhibiting a security flaw. Audible, the company's audiobooks service, apparently allowed users to use fake emails and credit card numbers in order to download as many files as they want. An Audible spokesperson stressed, however, that transactions made using fake credit cards were "closed quickly" and that the service takes credit card fraud seriously.

Filed under: ,

Comments

Via: The Digital Reader

Source: B.FL7.DE