Kindle Ebook Hack Leads to Amazon Account Hijacking

A security researcher has demonstrated a concerning method for taking over an Amazon account by exploiting vulnerabilities in a Kindle e-reader. The discovery highlights the often-overlooked risks associated with connected devices that hold sensitive personal and financial information. The hack involved creating a specially crafted, malicious ebook file that, once downloaded to the device, granted the attacker complete control over the user’s linked Amazon account.

Valentino Ricotta, an engineering analyst and ethical hacker with the defense firm Thales, conducted the research. He focused on the Kindle because it is a common internet-connected device that many users trust implicitly. The e-reader maintains a persistent link to an Amazon account, which often includes stored payment details for one-click purchases.

Ricotta developed a proof-of-concept malicious ebook designed to exploit security weaknesses in the Kindle’s software. His investigation revealed that the device, due to its long battery life and constant connectivity, presents a unique and potent attack vector. Once the compromised ebook was opened on the target Kindle, it executed code that allowed Ricotta to hijack the associated Amazon account remotely.

He presented these findings at the Black Hat Europe security conference in London. The session, titled “Don’t Judge an Audiobook by Its Cover,” aimed to raise awareness about the potential dangers lurking in seemingly benign digital content. Ricotta emphasized that the Kindle’s capabilities, including its direct access to a user’s Amazon account and saved credit card, make it a high-value target for malicious actors.

This research serves as a critical reminder that any internet-connected device can become a gateway for broader account compromise. Users are advised to be cautious about the sources of their digital content and to keep device software updated to the latest versions to patch known vulnerabilities.

(Source: The Times)