As if there haven’t been enough security scares in 2014 already, it looks like another household electronic device could be putting our private information at risk. According to security consultant Benjamin Daniel Mussler at B.FL7.DE, Amazon’s Kindle Library is currently vulnerable to XSS attacks, in which malicious code is inserted into the metadata for an eBook.
If you are unlucky enough to add one of these exploited eBooks to your Kindle library, the code within the file’s metadata will be executed the moment you open the Kindle Library, allowing the hacker to see your Amazon cookies. With these, the hacker could potentially access your Amazon account. The title of the malicious eBook should look something like this:
<script src=”https://www.example.org/script.js”></script>
This isn’t necessarily limited to old Kindles or brand new Kindle Fires either — anyone who uses the Kindle Library to store eBooks or have them sent to a Kindle is at risk. Thankfully, the exploit will likely only affect users who are downloading pirated eBooks from untrustworthy sources, so don’t worry about adding an eBook to your Amazon shopping cart any time soon.
Amazon apparently fixed this exploit when Mussler originally reported it last year, but in the latest update to the Kindle Library, the issue has returned. Mussler reported it to Amazon once again earlier this summer, but has yet to receive a response.