Ebook malicioso para Kindle

Engraçado: um Ebook malicioso para Kindle rouba as credenciais Amazon do dono através de um ataque de cross site scripting.

Amazon.com Stored XSS via Book Metadata

Amazon's Kindle Library, also known as "Manage Your Content and Devices" and "Manage your Kindle", is, at the time of writing, vulnerable to Stored Cross-Site Scripting (XSS) attacks. (Update 2014-09-16: Apparently, Amazon fixed the issue earlier today.) Malicious code can be injected via e-book metadata; for example, an e-book's title.

Once an attacker manages to have an e-book (file, document, ...) with a title like

added to the victim's library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised.


artigo completo