Amazon has responded to complaints about malware present on Kindle ebooks by fixing the security flaw.
Yesterday, it was revealed that some ebooks downloaded from the internet were installing malware on the ereader, meaning hackers could potentially gain access to users' Amazon accounts or personal details for identity fraud purposes.
Security researcher Benjamin Daniel Mussler uncovered the flaw and said Amazon was very much open to a cross-site scripting attack.
The issue is not thought to affect people who buy their books from Amazon, but could arise if they use an illegal download or untrustworthy ebook site.
The problem begins when a hacker embeds a malicious script into the ebook file, or simply hyperlinks to the script in its download link.
If you find a book you've been desperately looking for on an ebook download website (for example, an illegal download site), download it and then email it to your Kindle using the Send to Kindle feature, it will show up in your Kindle library on Amazon's website as a script file (typically with a subject that includes
The script could allow everything a user does on their Kindle to be tracked, so if people head back to the Amazon Kindle store and re-login, the hacker would have their login details.
This flaw does not affect books from Amazon itself, so Mussler's advice is to only download ebooks from Amazon or other trustworthy sites.
Mussler first discovered the flaw in 2013, but Amazon fixed it in three weeks. He then-rediscovered it in July and Amazon failed to patch it, hence why he wrote about it on his blog.
