Hacker Demonstrates How a Malicious Kindle Ebook Can Hijack Amazon Accounts, Prompting New Warnings for Users

A cybersecurity researcher has revealed serious flaws in Amazon’s Kindle software that allowed him to take over a user’s entire Amazon account simply by loading a specially crafted ebook onto the device. The discovery, presented at the Black Hat Europe conference in London, has renewed warnings about the risks of downloading ebooks from third party websites and highlighted the often overlooked security vulnerabilities in everyday smart devices.

The findings come from Valentino Ricotta, an ethical hacker and engineering analyst at Thales and its research division, Thalium, based in Rennes, France. Ricotta created a malicious ebook capable of exploiting hidden flaws within the Kindle operating system. Once a user downloaded the file, the device unknowingly executed code that allowed full access to their Amazon account, including stored credit cards and linked devices.

According to Ricotta’s demonstration, the Kindle’s constant internet connection, long battery life and one click purchasing system combine to create an attractive target for attackers. A compromised device could be used not only to access personal information, but also to pivot into the user’s home network or other Amazon registered devices.

Vulnerabilities Hidden Inside Kindle Software

Ricotta’s research uncovered security gaps in two unexpected areas of the Kindle’s software environment:

• Audiobook processing tools, which are installed on the device despite the Kindle’s inability to play audio files.

• The on screen keyboard, which he was able to manipulate to trigger malicious behaviour.

By exploiting both weaknesses, Ricotta forced the Kindle to load code that extracted Amazon session cookies — authentication tokens that allow access to an account without a password. With these, he could impersonate the user, make purchases or view sensitive data.

The researcher stressed that users are most at risk when side loading ebooks from unofficial sources. Many Kindle owners download books in bulk from websites offering pirated or discounted titles, then transfer them via USB. Because malicious ebooks can trigger attacks even without an active internet connection, the risk extends beyond online interactions.

Amazon Patches the Flaws After Report

Ricotta reported the vulnerabilities to Amazon through its bug bounty program. Both flaws were classified as critical and quickly patched by the company. For his discovery, Ricotta received a $20,000 reward, which Thales donated to charity.

This is not the first time Kindles have been shown to be vulnerable. Similar ebook based attacks were demonstrated in 2021 by researchers at Realmode Labs and Check Point. However, cybersecurity experts say Ricotta’s audiobook related exploit is particularly sophisticated.

Security Experts Warn Against Underestimating “Unimportant” Devices

Cybersecurity specialists have responded by emphasising a broader lesson: even devices perceived as low risk can serve as quiet entry points for attackers.

Professor Alan Woodward of the University of Surrey compared it to securing a home while leaving a side window open, noting that Internet of Things devices often run complex software and connect to the cloud despite appearing simple.

Professor George Loukas of the University of Greenwich called Ricotta’s exploit “well crafted” and significant given the value of Amazon account access and the increasing popularity of audiobooks.

Growing Risks in the Ebook Ecosystem

As ebook consumption rises and digital libraries grow, researchers warn that malicious files targeting e readers are likely to become more common. Unlike laptops or smartphones, devices such as Kindles typically receive less scrutiny from users and often operate for years without security updates or visible monitoring.

While Amazon has patched the specific weaknesses uncovered in this latest research, experts advise Kindle users to avoid downloading ebooks from unofficial sites, to update their devices regularly and to monitor their Amazon accounts for unusual activity.

The incident serves as a reminder that even the most familiar household gadgets can harbour hidden vulnerabilities — and that personal data security increasingly depends on treating every connected device, no matter how simple, as part of a larger and potentially vulnerable digital ecosystem.

Photo Credit: DepositPhotos.com