Kindle security vulnerability can 'compromise' Amazon accounts

A security flaw in Amazon's website can lead to malicious links being added to Kindle e-books, which one researcher says can be used to compromise a person's Amazon.com account.
Written by Zack Whittaker, Contributor
Image: CNET/CBS Interactive

A security vulnerability exists in Amazon's Kindle Library, which can be used to "compromise" an entire Amazon.com account, according to the researcher who found the flaw.

German researcher Benjamin Mussler published a proof-of-exploit on his blog after claiming Amazon previously fixed the flaw, but reintroduced it later on. Mussler said Amazon had not responded after he submitted it for the second time, which led him to publicly disclose the flaw.

The vulnerability, known as a cross-site script (XSS), can be included in a Kindle e-book's metadata, such as the title, which automatically executes as soon as the victim opens their Amazon Kindle Library page on Amazon.com.

"As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised," Mussler said.

Anyone who uses Amazon's Kindle Library to store e-books or deliver them to a Kindle, he said, is affected by the bug. 

Mussler warned that those who obtain e-books from untrustworthy sources, such as pirated copies of popular books, are at greater risk than those who buy through Amazon.com.

The researcher said he first reported the vulnerability privately to Amazon in November 2013, and was fixed with a relatively quick turnaround. But after the retail giant rolled out a new version of the "Manage Your Kindle" web application, the bug was reintroduced.

"Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed," he said.

We reached out to Amazon, but did not hear back at the time of writing.

Editorial standards