Security hole in Amazon's Kindle Touch
The web browser built into Amazon's Kindle Touch eBook reader contains a serious security hole: when a user navigates to a specially crafted web page, the Kindle will execute arbitrary shell commands as root. This allows attackers to access the eBook reader's underlying Linux system at the highest privilege level and potentially steal the access credentials for the Amazon account linked to the Kindle, or purchase books with the Kindle user's account.
Although the Kindle browser has been considered to be in "beta" for more than a year, this status doesn't reduce the risk for inquisitive users as the software is installed on each device by default. The H's associates at heise Security have developed a proof-of-concept web page that allows arbitrary shell commands to be injected into a Kindle Touch with the current version 5.1.0 firmware. As an example, the Kindle sent the content of the
/etc/shadow file to a heise Security web server – this file contains the root user's password hash – our associates then used a password cracker to determine the previously secret plain text password without much trouble.
This security issue was publicly documented about three months ago but hasn't attracted much attention – except in the jailbreak community. Recently, a browser-based jailbreak became available that allows users to install software, such as a Sudoku game, which has not been authorised for the device by Amazon.
The issue doesn't appear to affect any other Kindle models. Amazon's security department told heise Security that they are working on a patch. According to forum reports, some Kindle Touch devices are already being shipped with firmware version 5.1.1, which no longer contains the flaw. It is not possible for users to manually update their devices to this version.