It was only a matter of time before we had to worry about our books delivering more than a great story well told. We humans can be damned devious.
This Gizmodo article is pretty interesting, though a little thin on facts (see infra). Basically, it is possible to create a Kindle book with malicious code in the metadata. When a user views their list of titles under “Manage My Kindle” (now renamed to “Manage Your Content and Devices”) on Amazon, the code executes and a user could end up with a compromised Amazon account or worse, one imagines. If you are a Calibre user, read on and confirm you’re on a patched version.
A more thorough discussion by Benjamin Messler, the person who discovered the flaw, is here. Note that Calibre was also vulnerable, but the developer had it patched within 4 hours of being notified. Therefore, if you use Calibre and are not on version 1.80 or higher, you would be wise to update right now.
This flaw was pointed out to Amazon and patched nearly a year ago, but was reintroduced after a recent, subsequent update to the Manage Your Content pages. Amazon has re-patched the flaw, though they seem to have taken their sweet time about it. Third parties remain vulnerable.
This, May God Help Us, is a Cherry Tomato
I have additional thoughts on this.
First, about three or four months ago, there was a slew of sites that pointed to books on Google docs. I think there weren’t/aren’t actual books there, only malware. There’s been another spate of new pirate sites just recently, many of which appear to be registered to folks in China. Right. Stage set.
Pretend for a moment that you have discovered this Amazon vulnerability and have developed an exploit. Now, you must get this BookMalware (TM) into the hands of readers and onto a Kindle user’s Manage Your Device page. Or any other page similarly vulnerable.
A reader who obtains one of these malicious files and then sends it to their Kindle becomes vulnerable to an account hack, or some other Bookware (TM) attack. I mean sure, someone’s Amazon account credentials is a pretty juicy target, but I don’t see why malicious code would necessarily limit itself to grabbing credentials.
Just saying. There’s no evidence this happened or, even, that it would work. But hey.
Anyway, our MalBookWare (TM) developer must now get his product to users. You might well ask how. What leaps to mind is a website with malicious books just waiting for readers with Kindles. You must dangle the pretties and do everything you can to make your site look like there are loads of great books by great authors. All you have to deliver to the person on the other end is a mobi file with any old content, as long as the website makes it look like it’s a book by a favorite author.
Authors with services like Google Alerts, or Talkwalker alerts might start getting alerts like this:
Best Romance Ever: Number 3 in series pdf
My Book of Bible Stories and Prayers: AND My Book of Prayers
Best Romance Ever: Number 3 in series – Author, Suzie – PDF, EPUB, DOC Free Download EBook and Audiobook …
Anyone clicking on such a link, whether in an alert or through arriving at it after Googling for
Suzie Authors Best Romance Ever, Book 3, torrent
will be clicking a link (which I have altered so you can’t actually get there…) like the one below.
https://www.google . com/url?rct=j&sa=t&url =[removed]:// xxyebooks.[tld removed]/best-romance-ever-number-3-in-series_zqjr5.html&ct=ga&cd=CAEYACoUMTI5MjY0NTMzOTEwNzYyNjA4MDgyGRobert;('Drop Table Students;--sjg4gYzY0ZjI0ZjhjNzE5Y2I6Y29tOmVuOlVT&usg=AFQjCNGK5w9Tvxf3JSRA5DXs6q1JtSvZng
Ok, so I added the SQL injection just for kicks. Because it’s hilarious to SQL inject obfuscated code.
Anyhow, you see all that stuff after the number-3-in-series_zqjr5.html ? If the intent behind the link is bad, it could well be obfuscated code that will, eventually, get translated into a location that goes somewhere scary. Or not. Or a to a script that delivers a malicious payload. You won’t get a book. You’ll get malware. Or, maybe, a file with a MalBookWare (TM) title.
By the way
Registrant Name:WU YOUPO
Registrant Organization:WU YOUPO
Registrant Street: LIJIAPOLU
Registrant Postal Code:368742
There has been a great deal of speculation and public comment among some of the authors I know or know of. Many are making a connection between Kindle Unlimited and an increase in piracy, and well, maybe. But I think that’s not what they’re seeing.
There are several problems with those conclusions. Foremost is the erroneous belief that every site that advertises pirated books is actually delivering pirated books. They are not. They are delivering malware or just stealing payment information. The ironic good news for authors is that books are the bait. If people didn’t want the books, they would not be effective bait.
This is not an endorsement of anything. It’s just an observation.
The rash of Google docs as a (probable) malware delivery method isn’t an increase in actual piracy. Neither are any efforts to exploit that Kindle vulnerability, and you can bet that there were/are sites out there where the bait is supposedly pirated books by popular authors. The user may even believe they got the book, but the payload is malware.
If I were a malware deliverer, I wouldn’t bother pirating a book and altering the contents. I’d make my own content, disguise it as a popular book by grabbing the Amazon feed so I can populate the metadata and links with the author name and book title, and deliver it to the user. By the time they click on the content in their Manage my Device and say, hey! where’s my book by Suzie Author, a server in China has their Amazon credentials. Or worse.
A few more observations
Clicking on links to what looks like a pirate site is risky business. The click itself can deliver malware. It’s important to recognize that and not, if one cares about such things, conflate the apparent purpose of a link with it’s actual purpose. I would suggest, though, that no one should be saying, well, they got what they deserved for trying to steal books. The last thing any author should want is readers who think books = malware.
Any developer worth his or her salt can extrapolate out to sneakier things to do. I suspect Amazon, Apple, and Google can secure their vendor environments. I’m not so sure about Barnes & Noble since they can’t even be bothered to take care of their Warrior Cat problem. Kobo seems to care more, so I’ll put them on the vendors who are careful list until they prove otherwise.
My point, really, is if you’re pirating, be suspicious. If you’re an author, well, not all those links are actual instances of pirated books, and you shouldn’t be clicking either.