Call Us Anytime

+30 210 600 6666

Operating Hours

10:00 - 18:00

Email Us

[email protected]
REQUEST A CALL

XSS Flaw Burns a Hole in Kindle Security

Home News XSS Flaw Burns a Hole in Kindle Security
XSS Flaw Burns a Hole in Kindle Security
/ Innotech News Technology

XSS Flaw Burns a Hole in Kindle Security

Honesty Is the Best Policy

People who download pirated e-books are at greatest risk, according to Mussler.

"The biggest problem is reserved for those grabbing files from freebie download sites they haven't heard of, or random torrents," Chris Boyd, malware intelligence analyst at Malwarebytes, told TechNewsWorld.

This is generally true for downloads from random sources.

The Kindle Flaw

The XSS flaw lets hackers inject malicious code into a victim's account through e-book metadata such as an e-book's title, Mussler wrote.

The code will execute as soon as the victim opens the Kindle Library Web page after downloading a poisoned e-book.

Hackers can access and steal the victim's Amazon account cookies, Mussler said.

Users who stick to e-books from Amazon's store should be safe.

A Storm in a Teacup?

"On a scale of 1 to 10, with 10 being the kind of exploit suffered by Target or TJ Maxx, this would probably rate a 2 or 3," Charles King, principal analyst atPund-IT, told TechNewsWorld.

Still, "no vendor likes to be seen as being unable to keep its customers' personal information secure, whether or not it's relatively mundane," King pointed out.

Timing Is Everything

The real problem with the XSS scripting flaw is that Amazon "has not addressed this issue in a timely fashion," Rob Enderle, principal analyst at theEnderle Group, told TechNewsWorld.

That's where the situation could cause Amazon grief, because that "makes it look like they don't take security seriously, and this would raise red flags for users of Amazon Web Service," he remarked.

If enough Kindle users are affected, this "could do material damage to Amazon's brand," Enderle warned.

"Kindle is an Amazon storefront and does provide the opportunity for a mass Target-scale breach," he pointed out, "which would be very bad for Amazon, given it addressed the vulnerability [previously] and then reintroduced it."

Amazon did not respond to our request to comment for this story.

Now Hear This!

On the heels of the news about the Kindle flaw, another problem cropped up for Amazon.

The company's Audible audiobook service contains a vulnerability that anyone can exploit in order to download unlimited audio books for free, Business Insider reported on Monday.

Computer science student Alan Joseph discovered that the site apparently does not authenticate credit card payments before letting visitors purchase books.

Joseph's code reportedly let Business Insider use fake credit card information to purchase Audible's most expensive membership program, a US$229 Platinum Annual Membership that allows buyers to download 24 books.

Amazon apparently was first made aware of the exploit in March 2013 but did not take action, according to the report.

Amazon does display a warning after trying to verify payment, but hackers apparently can get around that by renewing their membership using the same fake credit card information.

Amazon reportedly told Business Insider that the exploit was a fraud issue, not a security issue, noting that customer data was not at risk.

The customer experience was not affected by the flaw, it maintained. However, Amazon said it does take fraud seriously.

RECENT POSTS

CATEGORIES