Since its launch in 2007, Amazon’s Kindle ebooks have become an almost essential tool in every bookworm’s arsenal, with hundreds of different titles on one device. However, the problem with digitizing the reading process is that even your library is now no longer safe from attack.
According to a report from security firm Realmode Labs, a chain of vulnerabilities that existed in Kindle ebooks until recently had created a situation where an attacker could compromise a victim’s device and account.
The exploit revolved around the popular “Send to Kindle” feature, which allows users to deliver ebooks to their devices via email, researcher Yogev Bar-on explained in a statement. blog post. Armed with knowledge of the device address, a hacker could have delivered a malicious ebook that, when clicked, would allow him to execute arbitrary code.
This attack method, Bar-On says, could have allowed an attacker to access personal information, make purchases with the owner’s credit card, and sell ebooks on the Kindle marketplace before transferring money to their own account.
While users may think their Kindle is low on the list of devices likely to be targeted by cyber criminals, the discovery is a reminder that any Internet-connected technology can be misused to steal money and personal information.
Therefore, it is important for device owners to be careful about clicking on web links from untrustworthy sources, unsolicited email attachments and, in this case, ebooks that appear unexpectedly on their devices.
Amazon was warned about the Kindle vulnerabilities in October and has since released an automatic fix for a number of models. According to Bar-On, there is no evidence that the exploit was exploited in the wild while it remained active.
“The security of our devices and services has the highest priority. We have released an automatic software update via the Internet to fix this issue for all Amazon Kindle models released after 2014. Other affected Kindle models will also receive this fix, ”said an Amazon spokesperson.
“We have also taken measures to prevent customers from receiving content they have not asked for. We appreciate the work of independent researchers who help bring potential problems to our attention. “
In an email exchange with TechRadar Pro, Amazon explained that it has since added extra characters to device email aliases, making them much more difficult to guess. In other cases, customers will receive email notifications that require additional confirmation before an ebook is delivered to the device.
Amazon also tried to clarify that an attacker could not gain access to raw credit card information or account passwords by the method demonstrated by researchers, because the data is not stored on the device.