Love it or hate it, digital content is here to stay.
Be it games distributed via Steam, underpriced apps from the App Store, or books from Amazon, all your digital entertainment and business needs can seemingly be provided for by the virtual world.
But that can cause problems.
Take apps for example – acquiring them from the App Store or Google Play is generally a safe bet, but sometimes you may want an app that isn’t available, or find one elsewhere at a reduced price, or even free. In the latter case there is a fair chance that you may not receive what you expected or, if you do, it may come with some undesirable “extras”.
But such issues shouldn’t only concern users of smartphones or tablets. No sirree, even the humble ebook reader needs to be aware of the issues surrounding literature acquired from alternative sources.
The most recent example of what I am talking about here comes in the form of Kindle ebooks and the possibility that they could be used to compromise your Amazon account.
Security researcher Benjamin Mussler says a flaw in Amazon’s Kindle management page allows hackers to obtain users’ credentials via booby-trapped digital books. When a user uploads an ebook they have obtained from a third party it moves through Amazon’s system before being able to be stored on their device. Such content is stored in the Kindle Library which is cloud-based but that functionality allows an attacker to hide a script in a .mobi or .awz file which could then be used to swipe the associated Amazon account.
It isn’t the first time this has been possible either – Mussler first reported the flaw almost a year ago and a fix came quickly, but has subsequently reappeared, following an update at Amazon’s end:
“When I first reported this vulnerability to Amazon in November 2013, my initial Proof of Concept, a MOBI e-book with a title similar to the one mentioned above, contained code to collect cookies and send them to me.
Interestingly, Amazon’s Information Security team continued to use this PoC on internal preproduction systems for months after the vulnerability had been fixed. This made it even more surprising that, when rolling out a new version of the ’Manage your Kindle’ web application, Amazon reintroduced this very vulnerability.
Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed.”
Whilst this is primarily of concern to those who pirate content from dubious corners of the web, it could also conceivable apply to content creators whose own systems have been compromised.
So, keep your own system clean and, as ESET’s Mark James says, do not download ebooks or pdfs from dodgy sources either. Saving a few quid could cost you in the long-run:
“If you enjoy having lots of books to read while travelling around on business or relaxing by the pool on vacation then the thought of having them all on an electronic device seems prefect. The Amazon Kindle is an excellent device for this and if you have one you probably struggle with the concept of paying the same if not more for an electronic version of the book than the good old fashioned paper version. It does not make sense when you look at the production, duplication and storage costs of paper books alongside the exact same but in electronic format it just does not add up. However, think very hard before you go looking on questionable websites for a cheaper or free version of the eBook as it may easily contain malware.
I am sure your first thoughts would be “impossible” it can’t happen, a book cannot contain malware, well you’re wrong. Compromised books have been found to have scripts embedded in the titles that when executed will attempt to send your Amazon account cookies to the attacker, which could enable them to compromise your Amazon account. Amazon was informed about this last November and they fixed it within days, but when they rolled out their new “Manage your kindle” page earlier this year it manifested itself again. If you want to protect yourself then its relatively easy to do so “DO NOT” download eBooks or pdfs from untrusted sources. It really is not worth it to save a few pounds.”