Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks

A series of vulnerabilities in Amazon's Kindle could have allowed hackers to take control of victims' devices by sending them a malicious ebook, according to new research.

Yogev Bar-On, a researcher at the security firm Realmode Labs, looked last year at the security of Kindles and in particular of Amazon's Send to Kindle feature. This feature allows users to send ebooks or articles to their Kindle as a "read it later" app. Bar-On found that there were three different vulnerabilities, which if combined, could lead a hacker to take control of a victim's Kindle and spend money with their credit card on the Kindle Store, as well as access any personal information stored on the device, such as full name and address.

"The worst case scenario would be that the attackers would steal money from the victim and also steal private information about him (like name and address)," Bar-On said in an email, referring to home addresses. 

"The attacker could do anything the Kindle could do. It can use stored credentials (not a password, special credentials) to log in to the victim's Amazon account," Bar-On explained. "I am not sure to which extent the attacker has control on the account, but at the least the attacker can make purchases on the Kindle store using the victim's credit card, and have access to any personal information stored on the device."

As Bar-On explained in his blog post, the attack could have started with a malicious ebook sent to the victim. A mitigating factor here is that the hacker needed to spoof the email address they used to match the @kindle.com email address used by the target. In some cases, these are not trivial to guess, as they can contain a series of random numbers. Bar-On, however, said that he believes hackers could have guessed them by brute forcing all potential combinations. 

The hacker would send the ebook to a victim, which would automatically appear in their Kindle library. Once the victim opened the ebook and clicked on a link in the table of contents, the Kindle would open a browser HTML page in the browser that contained a malicious image file. The Kindle would then parse the malicious code and let the hacker take over the device. 

An Amazon spokesperson confirmed that the bugs found by Bar-On have been fixed, and said the bugs could not have allowed hackers to take over a victim's Amazon account.

"The security of our devices and services is a top priority. We have already released an automatic software update over the Internet fixing this issue for all Amazon Kindle models released after 2014," the spokesperson said in an email. "Other impacted Kindle models will also receive this fix. We also have measures in place to help prevent customers from receiving content they haven’t requested. We appreciate the work of independent researchers who help bring potential issues to our attention."

Bar-On said that "there is no reason to suspect that this attack was actually exploited, and the devices should already be updated to the fixed firmware version. If the device is not updated, users should update immediately." 

This is a good reminder that even devices that we may think are not risky in terms of getting hacked can actually leak personal information. And hackers could get some useful data by targeting them.

Amazon fixed these bugs on December 10 of last year, after Bar-On reported them on October 17.  

This story was updated to clarify that hackers could only spend money on the Kindle Store.