A security hole in Amazon’s Kindle Touch web browser application has been found to be susceptible to an exploit that will allow attackers to run shell commands as root, potentially enabling access to a user’s Amazon account.
They created a proof-of-concept script that could copy a file that contains the root user’s password hash, allowing them to unlock the plain text password using a password cracker. Given that the current firmware (version 5.1.0) is installed on the majority of Kindle Touch devices sold across the world, any website that runs the script could potentially gain access to a user’s account details.
While Kindle Touch users need to be warned of the issue, the real-world usage of the device’s browser is minimal, as is the number of websites that actually embed such a script on their website.
H-online points out that Amazon’s security department is already working on a patch, and also suggests that some newer Kindle Touch shipments are already being sent to customers with the updated 5.1.1 firmware.
None of Amazon’s other Kindle e-readers (and Kindle Fire tablet) are affected by the exploit. So, for now, users will have to wait until Amazon rolls out its new update to ensure they are protected from the browser-based attack.