Quote:Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root – paving the way for siphoning money from unsuspecting users.
Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the “Send to Kindle” feature to start a chain of attack – a discovery that earned him $18,000 from the Amazon bug-bounty program.
“The first vulnerability allowed an attacker to send an e-book to the victim’s Kindle device,” he explained in a Thursday posting. “Then, the second vulnerability was used to run arbitrary code while the e-book is parsed, under the context of a weak user. The third vulnerability allows the attacker to escalate privileges and run code as root.”
To make the attack work (which the researcher calls KindleDrip), an attacker would first need to know the email address assigned to the victim’s device. There’s also a predefined list of approved emails that any e-books would need to be sent from. According to Bar-On, neither requirement is much of a hurdle.
The special destination email address assigned by Amazon is typically just the user’s regular email under the kindle.com domain (e.g. name@gmail.com becomes name@kindle.com), which “can be brute forced,” he explained.
And as for the list of approved addresses, spoofing can easily get around this. “Email authentication is still not as widespread as you may think,” he wrote. “Since many email servers still don’t support authentication, it is not unreasonable to assume that Amazon will not verify the authenticity of the sender.” And indeed, he was able to spoof an email message to send an e-book to his own device.
Read more: https://threatpost.com/amazon-kindle-att...il/163282/
![[-]](https://www.geeks.fyi/images/collapse.png)
