It seems there’s an issue for Amazon Kindles owners should be aware of and take appropriate steps to avoid.
A security researcher discovered malicious code that could potentially be injected – and cookies stolen – via a stored cross site scripting attack on the Manage your Kindle page located on the Amazon website.
According to the researcher, malicious code can be injected via e-book metadata such as the book title. Once the book is added to the victim’s library, the rogue code will trigger once they open their Kindle library web page, leading to the cookies being accessed by – and transferred to – the creator of the e-book in question.
Here’s a writeup by someone demonstrating the researcher’s proof of concept test on themselves, passing with flying colours.
The advice given is to be very wary of pirated e-books and other shady looking downloads – especially if you’re going to make use of the Send to Kindle feature, as this is the most likely way you’ll end up placing an e-book from outside the Kindle store into your Amazon Kindle page.
We’ve taken a look at the Kindle before, and here’s some things you should be aware of:
Unfortunately apps which aren’t all they claim to be do appear on the Kindle Apps store, and buyers of apps should always check before committing to a purchase. Here’s some advice from the above blog entry to steer you in the right direction:
Tips for Avoiding Kindle App Shenanigans
1) Read the reviews. While these apps are in circulation, the only real chance you have of avoiding a stinker is to see what horrors have befallen those brave souls who have gone before you.
2) Check the developer name. If it’s a horrible mashup of words associated with various titles, there’s a good chance some alarm bells may be ringing.
3) Take a good look at the “screenshots”. The majority of the 100% fake apps – the ones which claim to be amazing, mind-blowing games and disclose nowhere that they’re just some terrible tile sliding effort – use lots of pre-renders / promotional art from real games. Google Image Search will probably come in handy here.
On a similar note, many titles in the gaming realm tend to show up on the Amazon Kindle store a while after they’ve already appeared on Android (Google Play) and the iOS stores.
For many impatient individuals, this means a quick treasure hunt in a search engine for unofficial copies, quickly followed by lots of “Aargh what have I done” type complaints once dubious app x has been installed on unsupported device y.
As per the advice in that particular blog:
- Looking for that movie you really like but don’t want to pay for? Malware.
- Looking for an album you really wanted to listen to but out of cash? Malware.
- Looking for that new game that all your friends are playing but you can’t afford? Malware.
The above blog isn’t so much a threat to your e-Book reader or Amazon account as it is to your PC in general, with popular lists of e-Book titles used as a front for PUP (Potentially Unwanted Program) installs.
On the other hand, it is a useful example when talking about how there is no subject a scammer won’t touch to make some money in the side. E-Books? Sure, why not. And you can bet your finest digital copy of 1984 that somebody, somewhere would happily set up a wide range of booby-trapped e-Books to swipe some Amazon accounts – or any other accounts they can get their hands on, for that matter.
E-Book readers are wonderful things, but as with all the bits and pieces of tech we carry around with us on a daily basis they can provide an inroad for people harbouring bad intentions – and the occasional rogue e-Book.