A security researcher discovered a vulnerability in Amazon's Kindle Library that could lead to cross-site scripting attacks and account compromises.
The flaw, which affects the “Manage Your Content and Devices” and “Manage your Kindle” services in Amazon's web-based Kindle Library, could allow an attacker to inject malicious code into e-book metadata, such as the e-book's title, according to a blog post by researcher Benjamin Daniel Mussler.
Users who download e-books from untrusted third party sites, rather than official stores, and have them delivered from there to their Kindles can be affected. Following a successful attack, Amazon account cookies can be accessed and Amazon accounts “can be compromised.”
After discovering the same flaw in November 2013, which was disclosed to Amazon and addressed within days, the vulnerability resurfaced and was reported in July. Amazon has yet to respond or address it.