There is a vast segment of Kindle owners that download pirated eBooks from the internet. It is estimated that up to 20% of eBook downloads stem from bit-torrent or pirate sites. There is a new online threat that is targeting Kindle owners, that may hijack your entire Amazon account.

Digital Books have a great deal of metadata that assists online retailers and publishers in understand reading habits and key metrics. Most of this data is harmless and can be equated to cookies, when you visit internet websites. A new vulnerability has been discovered, that targets pirated eBooks and key metadata in the header or authors name can run external scripts and compromise your Amazon account.

Here is how the vulnerability works. Hackers have been injecting links to external websites in the book’s title or in the field reserved for the name of the author, or in both. The script is triggered when you visit the Amazon Kindle Management page and have used the Send to Kindle Plugin. The Kindle Library takes whatever is inside the book’s title or author fields and inserts it into the Kindle Library web page. As a result, if the title or author fields contain HTML code, this code becomes part of the Kindle Library web page and is treated as if it had originated from Amazon’s server.Send to Kindle remains a very popular function, Amazon has an official version and many 3rd parties have developed alternatives for Android, Chrome, Firefox or iOS. It basically allows you to send documents and eBooks directly to your Amazon account to be read by a Kindle e-Reader, tablet or official reading app.

Piracy has been running rampant ever since the Kindle was first released. The Publishers Association issued 115,000 legal threats to websites to stop free pirated books in 2011, a rise of 130% on 2010. Many websites and file sharing services allow anyone to download them, and the person who cracked it normally just wants to give it away. This new vulnerability should give you pause, that a free eBook may come with a catch.



