Researcher Yogev Bar-On from Israeli consulting firm Realmode Labs talked about his KindleDrip attack technique and three Amazon Kindle bugs (already fixed) that underlie it.For discovery of these vulnerabilities the expert received $18,000 under the bug bounty program.
Let me remind you that I also talked about IS researcher earned more than $2000000 on HackerOne.
The first vulnerability in the KindleDrip exploit chain is related to the Send in Kindle feature, which allows users to send e-books in MOBI format to their device via email (Amazon creates a special mailbox at @ kindle.com for this).
Code execution became possible with a second library vulnerability that Kindle devices use to parse JPEG XR images. Exploiting the bug required the user to simply click on a link inside a book containing a malicious JPEG XR image, which would open a browser and run the attacker’s code with limited privileges.
Since even this was not enough for Bar-On, he found a third problem, which allowed him to escalate privileges and execute code with root rights, gaining full control over the target device.
It should be noted that the hacker could not gain access to the actual card numbers or passwords, since these types of data are not stored on the device. Instead, the attacker could obtain special tokens and use them to access the victim’s account.
All a hacker needs for such an attack is to know the email address of the future victim (often @ kindle.com is the same as the user’s regular email address) and convince him to click on the link inside the malicious e-book. Although the Send to Kindle feature allows sending books to the devices only from pre-approved addresses, the researcher writes that an attacker could simply use spoofing to do so.
A demonstration of the attack can be seen below:
Currently, these vulnerabilities have already been fixed. So, problems with code execution and privilege escalation were eliminated in December 2020 with the release of version 5.13.4. In addition, Amazon now sends verification links to email addresses that cannot be authenticated, and adds some characters to @kinle.com addresses to make them harder to guess.