The first vulnerability discovered by an expert from RealModeLabs relates to a way to download your own books and documents to Kindle by sending them to a special mailing address. In theory, books can only be sent from an authorized address (by default, from the user's registration address in Amazon). In practice, it was found that Amazon did not use e-mail authentication because not all email services support them. This meant that outgoing e-mail was easy to forge.
The second vulnerability was found by Yogev Bar-On in the JPEG XR image processing library . An error in the image processor can lead to a buffer overflow, and the reference library did not have this vulnerability - it was introduced by the developers of Amazon. Here the researcher had to circumvent two technical difficulties. First, embedding JPEG XR images is only possible in a proprietary format for e-books from Amazon itself, which cannot be sent by mail. This was solved by embedding a malicious link into the book - it opens the browser built into the Kindle, which can also process images in this format. Second, the vulnerability leads to arbitrary code execution with limited rights. In addition, it required root access.
The Kindle was finally broken by the third vulnerability in the built-in app crash tracking mechanism. The process that monitors the stability of the Kindle is run as root. The researcher found a way to pass parameters to this process when the image handler "crashes", which caused the code to be executed already with superuser rights. The complete proof-of-concept attack is shown in the video above.
A real attack using these three vulnerabilities would look like this. Find out an e-mail that allows you to send a document to a specific user's Kindle. It often either matches the main email address (but on the kindle.com domain), or is presented in the (login) + (random character set) format, which can be guessed by brute-force. The user sees a new document, opens it and clicks on the link. An infected image is loaded in the browser, and we get full access to the victim's device. Access, in turn, can be used to steal login information for a user's account. Or to βbuyβ books from Amazon directly: for this, you can put a fake and very expensive book in the store.
All three vulnerabilities were patched by Amazon last year, and the researcher received a $ 18,000 Bug Bounty payment. The expert's article provides methods for solving all three problems. Now, if Amazon was unable to authenticate the email being sent, you will need to re-confirm this action before uploading the book. The image processor in JPEG XR format has been updated and the validation of transmitted data has been enhanced in the built-in debugger.
What else happened
The developer of storage systems QNAP warns of an attack on user devices with weak passwords: a cryptominer is massively installed on them.
Detailed description of the vulnerability that could bypass Windows built-in BitLocker data encryption. Bug CVE-2020-1398 was closed last summer.
Another recent write-up about a Shazam vulnerability that was closed two years ago. If you persuade the user to click on the prepared link on the device with the installed application, you could get the exact geolocation.
Another scenario for stealing personal data via a link: a researcher found a security hole in the Youtube service and could access private videos of any user, as well as the browsing history.
Critical vulnerabilities (including one with a CVSS rating of 9.9) have been found in Cisco SD-WAN solutions.
Nvidia is patching vulnerabilities in Shield TV boxes and Linux drivers for Tesla graphics cards.
Another studySecurity of the WebRTC protocol from Google Project Zero expert Natalie Silvanovich. As a result, five similar vulnerabilities in the messengers Signal, Google Duo, Facebook Messenger and others were closed. In theory, the vulnerabilities allowed initiating the transmission of audio and video without the user's consent.