Security flaw found in Amazon's Kindle Touch

Security flaw found in Amazon's Kindle Touch

Summary: Security researchers from heise Security have created a proof-of-concept code for a remotely exploitable vulnerability affecting Amazon's Kindle Touch 5.1.0 firmware.

SHARE:
TOPICS: Security
4
amazon-logo

Security researchers from heise Security have created a proof-of-concept code for a remotely exploitable security vulnerability affecting Amazon's Kindle Touch 5.1.0 firmware.

The demo allows arbitrary shell commands to be injected into a Kindle Touch, allowing the security researchers to create a script where the Kindle sent back a copy of /etc/shadow to a heise Security web server.

Apparently, the security issue has been known for over three months now. Amazon Inc. responded to heise Security that they're working on a patch. Unfortunately, the patch cannot by pushed to Kindle Touch users and they would have to personally issue the update on their devices.

Find out more about Dancho Danchev at his LinkedIn profile.

 

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • So?

    The article assumes a lot about readers who are not highly familiar with Unix. What does this mean for an average Kindle Touch user? Will this expose their Amazon Username and Password? Turn their e-reader into a brick or a botnet participant? Please give us more information.
    howardgr
    • arbitrary command execution with root privileges

      It means that any website has the ability to run any command on the Touch with root privileges. Kind of a big deal.
      forrestgump2000@...
      • Proof of Concept

        Right now there is a jailbreak website (similar to jailbreak.me except for kindle) where you can jailbreak your kindle with one click. I'm pretty sure there is already a fix out for version 5.1.1.
        yoonsikp
  • Patched 2 weeks ago

    The Amazon site does not consistently label the patch on their support website, but the patch for this bug was quietly released about 2 weeks ago.
    lanasth