Amazon has responded to complaints about malware present on Kindle ebooks by fixing the security flaw.
Yesterday, it was revealed that some ebooks downloaded from the internet were installing malware on the ereader, meaning hackers could potentially gain access to users' Amazon accounts or personal details for identity fraud purposes.
Security researcher Benjamin Daniel Mussler uncovered the flaw and said Amazon was very much open to a cross-site scripting attack.
The issue is not thought to affect people who buy their books from Amazon, but could arise if they use an illegal download or untrustworthy ebook site.
The problem begins when a hacker embeds a malicious script into the ebook file, or simply hyperlinks to the script in its download link.
If you find a book you've been desperately looking for on an ebook download website (for example, an illegal download site), download it and then email it to your Kindle using the Send to Kindle feature, it will show up in your Kindle library on Amazon's website as a script file (typically with a subject that includes
The script could allow everything a user does on their Kindle to be tracked, so if people head back to the Amazon Kindle store and re-login, the hacker would have their login details.
This flaw does not affect books from Amazon itself, so Mussler's advice is to only download ebooks from Amazon or other trustworthy sites.
Mussler first discovered the flaw in 2013, but Amazon fixed it in three weeks. He then-rediscovered it in July and Amazon failed to patch it, hence why he wrote about it on his blog.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Microsoft workers face a fresh round of layoffs – here’s who could be impactedNews Microsoft will cut 6% of its workforce, equivalent to around 6,000 workers, as part of its latest cost-cutting drive.
-
‘If you want to look like a flesh-bound chatbot, then by all means use an AI teleprompter’: Amazon banned candidates from using AI tools during interviews – here’s why you should never use them to secure a jobNews Amazon has banned the use of AI tools during the interview process – and it’s not the only major firm cracking down on the trend.
-
Amazon's RTO mandate could spark a talent exodusNews A survey of Amazon staff suggests plenty remain unhappy about returning to the office next year
-
Amazon's RTO mandate just hit a major roadblock – it doesn’t have enough office spaceNews The company has told staff in several locations that it won't have room for them all in time
-
“There are other companies around”: AWS CEO Matt Garman says employees pushing back on RTO mandates should quitNews AWS CEO Matt Garman says employees pushing back on RTO mandates should quit
-
Business execs just said the quiet part out loud on RTO mandates — A quarter admit forcing staff back into the office was meant to make them quitNews Companies know staff don't want to go back to the office, and that may be part of their plan with RTO mandates
-
Microsoft tells staff it won’t follow Amazon or Dell on enforcing a return to the office – but there’s a catchNews While other big tech companies are forcing reluctant workforces back into the office, Microsoft isn’t following suit
-
Amazon workers aren’t happy with the company’s controversial RTO scheme – and they’re making their voices heardNews An internal staff survey at Amazon shows many workers are unhappy about the prospect of a full return to the office
