A loophole in Audible’s security is making it easy to get unlimited free audiobooks, as long as you have no moral qualms about using a fake name and credit card.
It turns out that Audible, which is owned by Amazon, doesn’t verify credit cards and user information before it allows people to start downloading audiobooks, so you can fill your iPhone with audiobooks even if you sign up for an account using an obviously fake credit card.
A teenager in India recently told Business Insider about the flaw. After seeing BI’s experiment, Gizmodo used the same technique to confirm that the loophole is still there.
Using a fake name, email address, and credit card number, you can sign up for any membership plan, so we chose the most expensive plan, which gives you 24 free book credits. It’s easy to buy expensive shit when you’re using completely fake information.
Audible noticed right away that the card information was shady (maybe it was the Simpsons reference or the address of “Fake Avenue” that gave it away). But it didn’t lock “Rory B. Bellows” out.
Even though a warning pops up, Amazon doesn’t check credit card information until the credits run out. Even then, once Amazon figures out a card is faulty, someone trying to rip Audible off can just renew the membership instead of updating the card information. That refills the credits, basically letting people download Audible’s entire catalogue without paying.
I tested what happened when you try to buy stuff using the (fake) credit card instead of the 24 credits at first, and received a notice that Amazon had to verify my information before they’d let my audio book download start… but then renewed my membership and was able to get the same audiobooks for free.
Obviously you should not do this! It’s stealing, even though it might feel less so because it’s online. It’s notable, though, that Amazon has left Audbile’s system so insecure for so long.
“This is a fraud issue, not a security issue. The fraudulent activity described in the Business Insider article did not put any customer data at risk of exposure, nor did it affect customer experience in use of Audible.com; no honest Audible customer has been or will be injured by this,” Audible’s Senior Director of Communications told Gizmodo.
“While we are constantly working to improve ease of use by customers, any momentary breach is closed quickly through our process when invalid credit cards are used. We take the act of fraud very seriously and always have and always will.”
Business Insider claims Amazon has known about this since 2013. It seems like an odd thing not to fix, because it gives people a very easy way to snag free audiobooks. [Business Insider]