XSS bug allows Amazon account hijacking
A recurring XSS bug in Amazon’s Kindle Library, i.e. the “Manage your Kindle” web application, can be exploited by attackers looking to hijack users’ Amazon account, a German researcher has warned.
In order for this attack to work, the user must be tricked into adding an e-book containing a specific script in its metadata to his or her Kindle Library, and then open the Kindle Library web page.
Once that is done, the code is automatically executed, and the attacker can harvest Amazon account cookies which can then be used to gain access to the victim’s account.
To prove his point, Mussler has created a Proof-of-Concept file that contains the script in the title metadata, and has made it available for download so others can check his claims.
But, apparently, the bug isn’t new. He first discovered it in November 2013 and notified Amazon of it. The company’s Information Security team fixed it, but for a yet unknown reason, reintroduced the bug in the new (latest) version of the “Manage your Kindle” web app.
Mussler warned Amazon again of the existence of the bug, but has not heard back from them in two months, which prompted him to make the information public.
The bug affects everyone who uses Amazon’s Kindle Library to store e-books or to deliver them to a Kindle, but users who download pirated e-books from third-party sources are definitely in greater danger than those buying books from Amazon.
When Mussler initially found the bug, he also tested the Calibre e-book management app that some use as an alternative to Amazon’s Kindle Library, and found it was also vulnerable. Luckily for Calibre users, the bug was fixed in record time.