Security News > 2021 > January > Sharing eBook With Your Kindle Could Have Let Hackers Hijack Your Account
Amazon has addressed a number of flaws in its Kindle e-reader platform that could have allowed an attacker to take control of victims' devices by simply sending them a malicious e-book.
Dubbed "KindleDrip," the exploit chain takes advantage of a feature called "Send to Kindle" to send a malware-laced document to a Kindle device that, when opened, could be leveraged to remotely execute arbitrary code on the device and make unauthorized purchases.
When linked together, these weaknesses could be abused to swipe device credentials and make purchases on e-books sold by the attackers themselves on the Kindle store using the target's credit card.
Amazon fixed the flaws on December 10, 2020, for all Kindle models released after 2014 following Bar-On's responsible disclosure on October 17.
An important aspect of the Send to Kindle feature is that it only works when a document is sent as an attachment to a "Kindle.com" email address from email accounts that have been previously added to an "Approved Personal Document E-mail List.".
Software updates on Kindle devices are by default downloaded and installed when connected wirelessly.