A fairly nasty flaw – the ability to run a script in the title text of an eBook – could compromise the security of your Amazon account. The flaw, which reappeared recently after being patched in October, allows hackers to embed programs right into an eBook file that run when the book is examined via Amazon’s Kindle tools. It seems to be closed as of this writing but it can still affect apps and other websites.
The hack compromised the “Manage Your Content and Devices” and “Manage your Kindle” pages in the Kindle store.
You can read about the exploit here but, in short, it involves injecting a line like “” into a book title. When the book is examined on these pages, the script is run and the attendant cookies can be read and maliciously modified.
While most legitimate ebooks are safe, hackers could use this to target pirates. Writes researcher Benjamin Daniel Mussler:
The Kindle reads .mobi files, a popular format for pirated (and legitimate) ebooks. It does not affect Amazon’s own specially formatted .azw files. Mussler includes a proof-of-concept file that made your Kindle account page throw a number of pop-up windows. It appears the hack no longer works with the demo document – I sent it to myself twice – but there are a number of screenshots suggesting that the exploit is active.
While this vulnerability is most probably innocuous at this point, the hack could trick other services and other apps down the line. Be wary, then, downloading pirated or home-brew ebooks.