Researchers have successfully managed to get Amazon to fix a security flaw in their Kindle Library service (also known as “Manage Your Content and Devices” and “Manage your Kindle”). The security flaw allowed javascripts to be actioned when a book was viewed in the web interface.
If a SCRIPT tag was included in the books title then, when the book was viewed in the online Kindle Library service, that script was executed. Those scripts could easily allow a hacker to access your Amazon cookies which in turn would allow them access to your Amazon account. Pretty nasty stuff.
Amazon fixed this issue yesterday (16th September 2014) after it was re-discovered by the researchers. That’s right, re-discovered. The issue had previously been fixed by Amazon and had somehow been re-included in recent updates to the service.
This kind of thing is really worrying. 10 years ago the web was plagued by SQL injection attacks where poorly written forms on websites would allow users to include database commands. These were then actioned when the form data was saved to the database powering the site, giving hackers complete control of the site and it’s data. Now, poorly validated code was twice released by one of the largest content providers on the planet, and that code could have given any ebook creator great power over your Amazon account. I bet you save your credit cards in your Amazon account, so imagine what a hacker could order.
Different methods of attack, but they both come down to the same issue. Developers dealing with our data, who we depend on and trust, really need to be paying more attention to how people might be looking to take advantage of their code.
You can read the full security article here.
Leave a Reply