Security Researcher Found Critical Kindle Vulnerabilities That Allowed Hijacking Amazon Accounts

The Black Hat Europe hacker conference in London included a session titled "Don't Judge an Audiobook by Its Cover" about a two critical (and now fixed) flaws in Amazon's Kindle. The Times reports both flaws were discovered by engineering analyst Valentino Ricotta (from the cybersecurity research division of Thales), who was awarded a "bug bounty" of $20,000 (£15,000 ). He said: "What especially struck me with this device, that's been sitting on my bedside table for years, is that it's connected to the internet. It's constantly running because the battery lasts a long time and it has access to my Amazon account. It can even pay for books from the store with my credit card in a single click. Once an attacker gets a foothold inside a Kindle, it could access personal data, your credit card information, pivot to your local network or even to other devices that are registered with your Amazon account."

Ricotta discovered flaws in the Kindle software that scans and extracts information from audiobooks... He also identified a vulnerability in the onscreen keyboard. Through both of these, he tricked the Kindle into loading malicious code, which enabled him to take the user's Amazon session cookies — tokens that give access to the account. Ricotta said that people could be exposed to this type of hack if they "side-load" books on to the Kindle through non-Amazon stores.
Ricotta donated his bug bounties to charity...

Wait...

[magamiako1]

I thought only Windows got vulnerabilities? You mean to tell me other platforms have vulnerabilities, too?

Re:

[gweihir]

Found the idiot.

IOT with instant purchase credentials

[Tablizer]

now what could possibly go wrong? Hmmm. Those who pushed the IOT craze should be beaten with bricked IOT devices.

Re:

[Tablizer]

AIOT: double-fukt

Amazon

[coofercat]

The things about this that are most troubling are that there are no ways for the user to mitigate the problem - you just have to wait for a security update.

Amazon are really good at a lot of things. They've made the shopping experience really, really easy - but with that comes a problem, that convenience is also a vector for attacks. They do not have any ways to limit the potential damage - there's no way to say "always ask for my credit card CVV number", or "always ask for MFA" before making a purchase, you can't limit the purchase amount, or the amount spent today or anything else - you either have to allow everything, or allow nothing (ie. don't ever store a card with them).

(IMHO, Amazon shopping bears some similarities with online gambling - before regulations requiring spend limits and timeouts, gambling companies made it as easy as possible to spend all of your money too. They made the 'top up' as frictionless and invisible as possible, and they never showed you any sort of statement to say how much you'd made or lost, so it was (too) easy to overspend - Amazon feels very similar, although with less 'game of chance'*)

* You might argue the search results are a game of chance, or possibly the quality of some of the products, but that's rather different from gambling ;-)

That the Kindle is vulnerable is regrettable of course, and probably 'easily' fixed by them. This won't be the last problem of that sort though - maybe it'll be another Kindle bug, or a FireTV, or an Alexa or Ring... the problem will still be the same. Once someone's got your account, they can do some serious damage and there's no way to protect yourself from that. You can only hope you see it happening soon enough and block the credit card or whatever - as a consumer, I don't find that very satisfactory.

Re:

[geekmux]

They do not have any ways to limit the potential damage - there's no way to say "always ask for my credit card CVV number", or "always ask for MFA" before making a purchase, you can't limit the purchase amount, or the amount spent today or anything else - you either have to allow everything, or allow nothing (ie. don't ever store a card with them).

Uh, don't look now, but you just identified exactly how you eliminate Amazon credit card risk.

And look, it's even an option they allow you to do! How convenient.

The world is full of risk. You either mitigate it, or you eliminate it if necessary. The latter, doesn't promise convenience. And most don't consider the latter because they're too spoiled by a one-click lifestyle.

Re:

[coofercat]

So let me get this right, Stockholm... I either have to accept a sub-standard experience from Amazon, or else I have to accept an (effectively) unlimited risk?

So it is entirely impossible for Amazon to help me out here, is it? Is it too hard for one of the worlds largest companies to add some optional features to help me manage my spending and limit my risk? Especially as it mitigates bugs in their own products?

*really*?

Re:

[geekmux]

So let me get this right, Stockholm... I either have to accept a sub-standard experience from Amazon, or else I have to accept an (effectively) unlimited risk?

Uh, no. You merely have to be smart enough to know the actual risk here.

Do you dare tell me how long you've had your account running in "unlimited" mode, followed by how many times you haven't had your credit cards stolen?

If the risk were that great, you wouldn't be debating this. You would have already understood the sub-standard experience is the necessary one.

Re:

[The-Ixian]

The things about this that are most troubling are that there are no ways for the user to mitigate the problem - you just have to wait for a security update.

Sure there is:

1) Don't use a Kindle
2) If you use a Kindle, don't install books (or anything else) from untrusted sources

Re:

[KiloByte]

This article proves that Amazon is an untrusted source, and you need to install books from third parties as they don't get to access the 'Net.

I for one use a non-Amazon reader that doesn't have any kind of network access at all: the books go over an USB cable or over 15x11mm floppies. Try to hijack it...