Amazon has addressed a security hole that enabled attackers to inject malicious code into the company’s website and potentially compromise user accounts, a researcher reported on Tuesday.
Benjamin Daniel Mussler from Germany identified a persistent cross-site scripting (XSS) vulnerability on the Amazon webpage where users manage their Kindle e-book readers. According to the expert, an attacker could inject malicious code through e-book metadata. For example, he could add a book title containing code such as: .
If a victim adds this “book” to his/her library, the code is executed as soon as the Kindle library webpage is opened.
“As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised,” Mussler explained in a blog post.
The researcher also pointed out that it’s unlikely that Amazon will allow e-books with malicious code as a title to be added to its store. However, an attacker could plant such e-books on third-party websites. The malicious code gets executed if the victim uses Amazon’s “Send to Kindle” service to copy them to the device.
The issue was first reported to Amazon in November 2013 through the company’s security@amazon.com email address. Amazon rolled out a fix by December 6, 2013. However, with the redesign of the “Manage your Kindle” webpage, the company reintroduced the vulnerability.
Mussler realized that the flaw had been reintroduced in July, when he notified Amazon once again. However, since the company didn’t respond to the researcher’s second report, he decided to go public with his findings on Friday. In an update made to his initial blog post, Mussler reported that the issue was fixed by Amazon on Tuesday.
Kindle users who organize their e-books with third-party applications could also be affected by such vulnerabilities. The researcher has identified a similar security hole in the open source library manager Calibre. Fortunately, unlike Amazon, Calibre developers addressed the vulnerability the next day after it was reported.
A different persistent XSS vulnerability identified by Mussler could have been triggered via the Kindle device name. When Kindle users set a name for their e-book readers from the Amazon website, they’re not allowed to use characters such as “,” which are usually present in malicious scripts. However, these characters are not filtered when setting the device name directly from the Kindle.
An attacker with physical access to the reader could have set malicious code as device name. When the victim would visit his/her “Manage your Kindle” webpage, the code would be executed.
This vulnerability was reported to Amazon in October 2013 and it was fixed in mid-December 2013. However, it too was reintroduced sometime this year when the company redesigned the “Manage your Kindle” webpage. Amazon silently addressed the flaw for the second time sometime in July 2014.