A security vulnerability, discovered by an Israeli security researcher, enabled attackers to hack Amazon’s Kindle, and steal money from from user accounts.

Sending an infected eBook, and picking up credit card details

Yogev Bar-On, an Israeli researcher at security firm Realmode Labs, discovered 3 vulnerabilities on Amazon’s Kindle tablets, which enabled hackers access to user account details. In addition to the privacy breach, hackers could remotely control the Kindles, and even use credit cards for fraudulent purchases.

The vulnerability, nicknamed KindleDrip, was discovered in the “Send to Kindle” feature, which allows users to send eBooks as an attached file to email. According to Bar-On, he noticed that the feature offers potential to be exploited and decided to research the subject. He concluded that with the just an email address that a hacker could access the device and Kindle account of a unknowing user.

The first vulnerability is the 'send an eBook by email' option - easily abused through spoofing “official” email addresses. Amazon assigns each Kindle with a dedicated address for shipping, however Bar-On noted that it’s usually similar to the user's email address but with @kindle.com at the end. Although, Amazon does add a line of code to the original mail, but it can easily be penetrated with a bit of brute force.

By reverse engineering the Kindle hardware, Bar-On discovered the breach in the way JPEG XR files are read. Bar-On added the file as an attached link inside the “book” he sent to the device, because only the Kindle browser can open the JPEG XR files that led to the attack.

The third vulnerability that Bar-On identified enabled hackers, not just access to the device by running malicious code on the browser, but also root access to the Kindle. In a conversation with Geektime, Bar-On explained that by taking advantage of the vulnerability attackers could attain access to all the private info on the device, including username, home address, last 4 of the credit card, and its expiration date.

In addition, hackers gained access to the Kindle store, where they could buy and sell books, with every book sold adding money to the account - which the hackers can then transfer to their account: “purchases were available only in the Kindle store, but because anyone can sell books in the store, it was the perfect way for attackers to transfer money to themselves.” Despite the deep Kindle-Amazon connection, hackers couldn’t gain access to Amazon’s eCommerce space, with the breach limited to the book store.

Bar-On added that he disclosed the breach through Amazon’s Bug Bounty program, and following comprehensive examination, Amazon awarded Bar-On with an $18,000 bounty for the discovery. Bar-On said that he worked alongside Amazon’s security team to fix the breach. He noted that it took only a week from the moment he discovered the breach and until the POC. For now, it doesn’t seem that anyone abused the opportunity.

Check out the POC: