Security Experts:

Amazon Kindle Browser Exposed Searches to MitM Attacks

Researchers discovered that an SSL flaw in Amazon’s Silk web browser could have been exploited by hackers to monitor users’ search engine traffic.

Amazon Silk is a Chromium-based cloud-accelerated web browser developed for the company’s Kindle Fire tablets and Fire Phones. Similar to other browsers, Silk allows device owners to select which search engine they want to use – Google, Bing or Yahoo.

Researchers at security consultancy Nightwatch Cybersecurity discovered that if Kindle users select Google, Silk prevents redirection to the HTTPS version of the website, allowing attackers to launch man-in-the-middle (MitM) attacks and intercept the victim’s search traffic.

When users access google.com, they are normally redirected to the HTTPS version automatically, but that did not happen in Silk, which prevented the redirection. Experts pointed out that other Google domains, such as google.ru or google.fr, worked properly and redirected users to the SSL version of the site.

The vulnerability affected Silk v49.3.1 and it was patched by Amazon with the release of version 51.2.1. The researchers notified Amazon and Google about the flaw on May 1. Amazon addressed the issue by July 20, but it did not communicate with the experts – the company only sent them a generic response the day after the vulnerability report was sent.

When it was launched in 2011, Silk raised some security and privacy concerns, mainly due to the open connection maintained between the browser and Amazon’s servers. Experts were concerned about the implications of all web connections going through Amazon.

Related: Comodo Browser Breaks Security

Related: Chrome 52 Patches 48 Vulnerabilities

Related: Critical Vulnerabilities Patched With Release of Firefox 47

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.