During a presentation at a Black Hat convention in London, an ethical hacker revealed an exploit that could expose Amazon accounts and credit card information. For the most part, the best eReaders are safe from most hacks, but everything has a vulnerability.
Valentino Ricotta, an engineering analyst at Thales, gave a presentation during the conference where he created a malicious ebook that enabled him to exploit loopholes in the Kindle. After downloading the book to a Kindle, he was able to access the linked Amazon account.
“It can even buy books from the store with my credit card in a single click,” Ricotta said during the presentation, according to Cybernews.
It’s long been possible to side-load books onto your Kindle from third-party sellers by downloading the titles and then transferring them via USB or the Amazon website. Meaning the exploit can get onto your Kindle even if it's not connected to the internet.
How the exploit works
When a book, audiobook, PDF or image is placed on a Kindle, the system enters “parsing,” where it automatically scans the file to extract metadata such as the title and author and converts the content into a readable format. This parsing zone is where Ricotta found the fault.
“It’s about being aware of these kinds of threats, and not trusting third-party websites,” Ricotta added.
Ricotta claimed that the flaw could be turned into a code execution, which would allow an attacker to make the Kindle run their instructions. Because Kindles aren’t regularly turned off or reset like other devices, even though the exploit isn’t reliable, it could be brute forced through persistence in the background as the eReader sits on your nightstand.
Once the code gets through, it gains limited access to steal Amazon session cookies that keep you logged in. This could let hackers access an Amazon account without the password. From there, Ricotta showed how he eventually gained complete control of the device by chaining the original flaw to a second one that let him use the on-screen keyboard.
Ricotta reportedly informed Amazon of the flaws, which were deemed critical and fixed before he gave his presentation. He was awarded a $20,000 “bug bounty” for finding the vulnerability, which he says he donated to charity.
Similar flaws found previously
As Cybernews notes, this flaw seems very similar to one found in 2020 by security researcher Yogev Bar-On and his colleagues, who discovered a series of loopholes that would have let hackers take over a Kindle via an ebook.
The “KindleDrip” exploit also took advantage of code in the parsing and the “Send to Kindle” feature. Similar to Ricotta, Bar-On’s exploit was patched in December 2020, and he received an $18,000 bug bounty. As far as we’re aware, no active abuses of either of these flaws have been reported.
When asked about the flaws an Amazon spokesperson told Tom's Guide, "We identified and fixed vulnerabilities affecting Kindle E-readers and the Audible functionality on these devices. All affected devices have received automatic updates addressing these issues. We appreciate the security researchers who help us maintain high security standards for our customers."
We were also informed that there is no evidence that the vulnerability has been actively used outside of Ricotta's tests.
How to stay safe from Kindle exploits
A common thread between Ricotta’s exploit and the older KindleDrip is related directly to self-published titles. Amazon lets authors self-publish eBooks and audiobooks as a great way for newer authors to sell their stories.
However, as these vulnerabilities show, they can also be used to introduce malicious code to your Kindle. Before you download an eBook or Audiobook, make sure you do some research on the author or publisher. Check the ratings and reviews, look up the author or publisher to make sure they exist.
Additionally, you’ll want to be wary of free eBook offerings. Outside of apps like Libby, which pulls from your local library, or the long-running Project Gutenberg, which provides classic, public domain literature. Otherwise, you’ll want to avoid third-party sites, especially ones you’ve never seen before.
Fortunately, as mentioned above, this exploit has already been patched.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
