A recurring cross-site scripting (XSS) bug in Amazon’s Kindle Library can be exploited by attackers looking to hijack users’ Amazon account.
In order for this attack to work, the user must be tricked into adding an e-book containing a specific script in its metadata to his or her Kindle Library, and then open the Kindle Library web page. Once that is done, the code is automatically executed, and the attacker can harvest Amazon account cookies which can then be used to gain access to the victim’s account.
The bug was first discovered in November 2013 and notified Amazon of it and the company’s Information Security team fixed it, but for a yet unknown reason, reintroduced the bug in the new (latest) version of the “Manage your Kindle” web app. Benjamin Mussler warned Amazon again of the existence of the bug, but has not heard back from them in two months, which prompted him to make the information public.
