A security analyst reveals how a fake audiobook could be used to take over Amazon’s Kindle, exposing user accounts and personal data — a discovery Amazon later rated ‘critical’ and rewarded with a $20k bug bounty.
If you’re planning on buying a Kindle for someone this Christmas, it probably feels like a safe choice — even if the AI-powered versions are are generating debate about their $600+ price tag.
Tens of Amazon’s e-readers have been sold since it launched in 2007 with millions of books consumed via the platform.
But this market proliferation is exactly what inspired Valentino Ricotta, a reverse engineering analyst at Thales, to try and hack into one. This, and the fact that the small, Wi-Fi-connected, always-on Linux computer device is logged into your Amazon account.
“It can even buy books from the store with my credit card in a single click,” the researcher noted, a reminder that compromising a Kindle is about obtaining cash and personal data.
Speaking at the aptly-titled Black Hat session Don’t judge an audiobook by its cover on December 11th Ricotta added that what interested him most was how the Kindle handles content in the background.
Whenever a book or audiobook appears on the device, a system process — known as “parsing” — automatically scans the file to extract metadata such as title, author, and cover image, etc, breaking it down into a readable format, so it can be displayed and navigated correctly by the user. This happens silently, before the user opens anything.
Kindle supports many formats — ebooks, PDFs, images, and Audible audiobooks — all of which must be parsed safely. But it was in the parsing step where the analyst found a fault line.
Because Amazon allows self-publishing Ricotta said that one scenario stood out as particularly dangerous: a malicious book delivered through normal channels.
“Basically, anyone can self-publish a book and distribute it, ”the researcher explained. A victim wouldn’t need to click a suspicious link or install anything unusual — just download a book that looks legitimate.
In fact, work in this area has been done before. In late 2020 and early 2021, security researcher Yogev Bar-On and colleagues uncovered a chain of vulnerabilities in Amazon’s Kindle e-reader that could have allowed attackers to compromise a device by sending an ebook.
Known as the “KindleDrip” exploit, this attack also took advantage of flaws in how Kindle parses and renders ebooks delivered via Amazon’s self-publishing “send to kindle” feature.
Amazon issued patches in December 2020 with devices updating automatically over the internet. No active abuses were publicly reported.
Another set of vulnerabilities (CVE-2021-30354) reported in 2021 involved a head overflow in the PDF parsing code in older Kindle firmware, which were later patched by an Amazon update.
Targeting audiobook files
Instead of targeting ebooks, Ricotta focused on Audible audiobook files, which are based on a complex multimedia format similar to MP4 video.
Even Kindles that cannot play audiobooks still scan these files to extract metadata, Ricotta explained. “The extractor actually goes quite deep into the parsing,” he added, making it a rich target for security research.
By analysing Amazon’s custom Audible parsing code, Ricotta discovered a classic programming mistake. The software miscalculated how much memory it needed before handling certain audiobook data.
By carefully choosing values inside a fake audiobook file, he could trigger what security engineers call a “heap overflow” — when a programme is tricked into writing data where it shouldn’t because it wrongly believes it has more space than it actually does.
This caused the Kindle to overwrite parts of its own memory. “There’s an obvious textbook heap overflow here,” he told the audience.
Amazon account takeover
On a real Kindle device, this flaw could be turned into code execution — meaning the attacker could make the device run their own instructions.
According to Ricotta, while the exploit was not perfectly reliable, it did mean that when the vulnerable background process crashed, it restarted automatically and retried the file.
“The exploit runs silently in the background, without the victim ever noticing,” the analyst said.
Given that Kindles often stay powered on for days, persistence alone made this a viable attack, he added,
Once code execution was achieved, the impact escalated quickly. Even limited access was enough to steal Amazon session cookies, the tokens that keep users logged in.
In a live demo, Ricotta showed logging into a victim's Amazon account from his own browser — without knowing the password .
He then chained this flaw with a second vulnerability involving an internal Kindle service used to manage the on-screen keyboard. The service ran with high privileges but lacked proper access controls, allowing him to load a malicious file and gain complete control of the device.
Amazon fixed both issues after responsible disclosure. Individually, the bugs were rated “high severity” but together they crossed into “critical” leading to the $20,000 bounty, which the analyst said he donated to charity.
An Amazon spokesman said:
"We identified and fixed vulnerabilities affecting Kindle E-readers and the Audible functionality on these devices. All affected devices have received automatic updates addressing these issues. We appreciate the security researchers who help us maintain high security standards for our customers."
Amazon
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked