Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Amazon Fixes Persistent XSS Vulnerability Affecting Kindle Library

Amazon has addressed a security hole that enabled attackers to inject malicious code into the company’s website and potentially compromise user accounts, a researcher reported on Tuesday.

Amazon has addressed a security hole that enabled attackers to inject malicious code into the company’s website and potentially compromise user accounts, a researcher reported on Tuesday.

Benjamin Daniel Mussler from Germany identified a persistent cross-site scripting (XSS) vulnerability on the Amazon webpage where users manage their Kindle e-book readers. According to the expert, an attacker could inject malicious code through e-book metadata. For example, he could add a book title containing code such as: <script src=”https://www.example.org/script.js”></script>.

If a victim adds this “book” to his/her library, the code is executed as soon as the Kindle library webpage is opened.

“As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised,” Mussler explained in a blog post.

The researcher also pointed out that it’s unlikely that Amazon will allow e-books with malicious code as a title to be added to its store. However, an attacker could plant such e-books on third-party websites. The malicious code gets executed if the victim uses Amazon’s “Send to Kindle” service to copy them to the device.

The issue was first reported to Amazon in November 2013 through the company’s [email protected] email address. Amazon rolled out a fix by December 6, 2013. However, with the redesign of the “Manage your Kindle” webpage, the company reintroduced the vulnerability.

Mussler realized that the flaw had been reintroduced in July, when he notified Amazon once again. However, since the company didn’t respond to the researcher’s second report, he decided to go public with his findings on Friday. In an update made to his initial blog post, Mussler reported that the issue was fixed by Amazon on Tuesday.

Kindle users who organize their e-books with third-party applications could also be affected by such vulnerabilities. The researcher has identified a similar security hole in the open source library manager Calibre. Fortunately, unlike Amazon, Calibre developers addressed the vulnerability the next day after it was reported.

A different persistent XSS vulnerability identified by Mussler could have been triggered via the Kindle device name. When Kindle users set a name for their e-book readers from the Amazon website, they’re not allowed to use characters such as “<” and “>,” which are usually present in malicious scripts. However, these characters are not filtered when setting the device name directly from the Kindle.

An attacker with physical access to the reader could have set malicious code as device name. When the victim would visit his/her “Manage your Kindle” webpage, the code would be executed.

This vulnerability was reported to Amazon in October 2013 and it was fixed in mid-December 2013. However, it too was reintroduced sometime this year when the company redesigned the “Manage your Kindle” webpage. Amazon silently addressed the flaw for the second time sometime in July 2014.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.