Kindle e-book turned out to be able to hack Amazon accounts


I found out that it is possible to hack a user's Amazon account using a script that was hidden in the e-book of Kindle.

B. FL 7. DE: Stored XSS via Book Metadata

Your Amazon Account Can be Hacked via a Kindle eBook - The Digital Reader

Security researchers report that Amazon has a serious security hole is the "Manage Content and Devices" page on the "Account Services" page in the Kindle store. With this security hole, an attacker can easily obtain user's Amazon account information, which can be done by embedding a hacking script in the e-book downloaded by the user.

For the specific procedure, first embed the following code in the title part of the e-book.


"> [/ Code]

This code will be executed when the user downloads the e-book embedded with this script and opens the e-book in his own Kindle library. The attacker can then access the cookie information on the user's Amazon account.

Actually it seems that the account information is stolen by the feeling as follows.

Although this vulnerability is basically likely to suffer damage to the entire Kindle user, actually the victim is downloading pirated e-books from unreliable sources and send the "send to Kindle" function He said that he was a user using reading books.

Although Amazon's proprietary "azw" format seems not to be affected by this vulnerability, the file format "mobi" frequently used in pirated e-books is affected, Kindle can read this file There is the possibility of getting hacked because it exists.

Display pop-up window on Kindle's account pageProof of conceptFiles forReleaseAlthough it was done, Amazon said that this security hole was restored on 16th September 2014.

in Web Service,   Hardware, Posted by logu_ii