New Kindle Book Malware can hack your Amazon account

One of the benefits of e-readers is that few exploits can take over your entire account and let a malicious actor from getting access to your digital life. We’ve all heard about phones, tablets, and computers getting hacked, but there is a new method that lets a hacker gain access to your entire Amazon account by sideloading an e-book. Valentino Ricotta, an engineering analyst for Thales, the defence and security group, created a “malicious” ebook that enabled him to exploit vulnerabilities in the Kindle. After downloading the ebook to the device, he was able to access the linked Amazon account. “Once an attacker gets a foothold inside a Kindle, it could access personal data, your credit card information, pivot to your local network, or even to other devices that are registered with your Amazon account.” Many people who side-load books onto their Kindles go to third-party websites, mass-download many books, and then transfer them to their Kindles via USB. And so the impact can be there even if the Kindle is not connected to the internet. So it’s about being aware of these kinds of threats, and not trusting third-party websites,” he added. Ricotta informed Amazon of the flaws, which were both deemed “critical” and fixed. He was awarded a $20,000 “bug bounty” from a software company for exposing vulnerabilities. Thales donated this to charity. An ethical hacker hoping to get a bug bounty is one thing, but other methods have not been publicly disclosed that can also result in a full account takeover. Another e-book method that hasn’t been patched is a vulnerability in the onscreen keyboard. It can track the Kindle’s loading of malicious code, enabling a hacker to steal the user’s Amazon session cookies - tokens that grant access to the account. Update: An Amazon Spokesman said “We identified and fixed vulnerabilities affecting Kindle E-readers and the Audible functionality on these devices. All affected devices have received automatic updates addressing these issues. We appreciate the security researchers who help us maintain high security standards for our customers. Also, we wanted to share on-background that: there is no evidence this issue was used to access customer accounts or devices outside of this test, before being fixed earlier this year. Also, the issue could only be discovered with physical access to a customer’s device.” via The Times Michael Kozlowski has written about audiobooks, e-books and e-readers for the past eighteen years. He Lives in Vancouver, British Columbia, Canada.

Preview: ~409 words