Security News > 2021 > January > Amazon Kindle RCE Attack Starts with an Email
Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root - paving the way for siphoning money from unsuspecting users.
Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the "Send to Kindle" feature to start a chain of attack - a discovery that earned him $18,000 from the Amazon bug-bounty program.
The special destination email address assigned by Amazon is typically just the user's regular email under the kindle.com domain, which "Can be brute forced," he explained.
"Since many email servers still don't support authentication, it is not unreasonable to assume that Amazon will not verify the authenticity of the sender." And indeed, he was able to spoof an email message to send an e-book to his own device.
"To make matters worse, there is no indication that the e-book was received from an email message," said Bar-On. "It also appeared on the home page of the Kindle with a cover image of our choice, which makes phishing attacks much easier."
The attack works on Kindles with firmware version 5.13.2 or below; Amazon fixed KindleDrip in the latest update, firmware version 5.13.4.