Researcher Found Three Bugs Allowing Hacking Amazon Kindle

Researcher Yogev Bar-On from Israeli consulting firm Realmode Labs talked about his KindleDrip attack technique and three Amazon Kindle bugs (already fixed) that underlie it.

For discovery of these vulnerabilities the expert received $18,000 under the bug bounty program.

Let me remind you that I also talked about IS researcher earned more than $2000000 on HackerOne.

The first vulnerability in the KindleDrip exploit chain is related to the Send in Kindle feature, which allows users to send e-books in MOBI format to their device via email (Amazon creates a special mailbox at @ kindle.com for this).

By abusing this feature, it was possible to send a specially crafted e-book to the device that allows arbitrary code to be executed on the target Kindle.writes the expert.

Code execution became possible with a second library vulnerability that Kindle devices use to parse JPEG XR images. Exploiting the bug required the user to simply click on a link inside a book containing a malicious JPEG XR image, which would open a browser and run the attacker’s code with limited privileges.

Since even this was not enough for Bar-On, he found a third problem, which allowed him to escalate privileges and execute code with root rights, gaining full control over the target device.

Attackers can access device credentials and make purchases from the Kindle store using the victim’s credit card. Attackers can sell an e-book in a store and transfer money to their account. Only a confirmation letter will allow the victim to know about such a purchase,” says the expert.

It should be noted that the hacker could not gain access to the actual card numbers or passwords, since these types of data are not stored on the device. Instead, the attacker could obtain special tokens and use them to access the victim’s account.

All a hacker needs for such an attack is to know the email address of the future victim (often @ kindle.com is the same as the user’s regular email address) and convince him to click on the link inside the malicious e-book. Although the Send to Kindle feature allows sending books to the devices only from pre-approved addresses, the researcher writes that an attacker could simply use spoofing to do so.

A demonstration of the attack can be seen below:

Currently, these vulnerabilities have already been fixed. So, problems with code execution and privilege escalation were eliminated in December 2020 with the release of version 5.13.4. In addition, Amazon now sends verification links to email addresses that cannot be authenticated, and adds some characters to @kinle.com addresses to make them harder to guess.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *