[German]Security researchers from Check Point have found a dangerous vulnerability in the eBook reader Amazon Kindle. Attackers could have used malicious code to take over the linked Amazon account of the device owner or read out his data. In the meantime, Amazon has closed this vulnerability with an update.
Security researchers from Check Point have discovered a serious vulnerability in Amazon's Kindle eBook reader. The popular e-book reader, many millions of the Kindle devices have probably been sold since its introduction in 2007, could be taken over by a very simple hack. Attackers would not only have been able to read all of the device's data, which includes passwords. The vulnerability would even have made it possible for attackers to gain possession of the complete Amazon account.
Attack via PDF ebook download
According to Check Point, an attack via a contaminated eBook (PDF file) would have become possible. The attackers can hide their malware or a payload in such an eBook and offer the whole thing for download. Anyone who then downloads and opens the download on the device unintentionally activates the malicious code, which takes over the Kindle device via the security hole and locks the user's screen. From then on, the attackers have full access to the device and can use it to take over the linked Amazon account.
Only two-factor authentication can help against the latter. What is particularly perfidious about this attack is that, since it involves books, the language and content of the contaminated pseudo merchandise can be used to select the victims very well, for example by origin or age.
Amazon has closed the vulnerability
Amazon was informed by Check Point and has closed the gap in the meantime. The update 5.13.5 from April 2021 is automatically installed when an Internet connection is established. Check Point is also showcasing the vulnerability it found at the Def-Con trade show in Las Vegas and has created a short video demonstrating the hack. All details about the Amazon Kindle vulnerability can be read in this blog post.
Cookies helps to fund this blog: Cookie settings