Dec 17, 2025
3 min read
An ethical hacker has warned Kindle users against downloading e-books from third-party sites after discovering a vulnerability that could expose credit card information.
A researcher who hijacked an Amazon account by hacking a Kindle has warned people about the dangers of downloading e-books.
Valentin Ricotta has been working, a muscles in Thales, a safe and safe group, a "bad" he can use the weakness.
When the ebook is downloaded to the device; He had access to the linked Amazon account.
Ricotta, an ethical hacker based at Thalia, the research arm of Thales in Rennes, France, looks for vulnerabilities in common devices and presented his findings in a session called Don't Judge an Audiobook by its Cover at the Black Hat Europe hacking conference in London.
He said: "The most important victim is this sport, he sits on my lab. He is always supposed to bring books from the store.
"If an attacker gets a foot in a Kindle, they can access personal data, access your credit card information, access your local network or even other devices registered to your Amazon account."
Ricotta discovered flaws in the Kindle software that scans and extracts information from audiobooks.This software is on the e-reader but cannot play audio files.
He also discovered a vulnerability in the computer's keyboard.Through it all, he tricked the Kindle into entering malicious code, which allowed him to obtain Amazon's cookies—tokens that allow account access.
Ricotta said people could be exposed to this kind of hack if they "side-load" Kindle books through non-Amazon stores.
• How to defeat porch pirates this Christmas?
"Many people who put books on their Kindle go to third-party websites, download a lot of books and just put them on their Kindle via USB. And so the effect can exist even if the Kindle is offline. So it's about being aware of these threats, and don't trust third-party websites," he added.
Ricotta told Amazon of the "serious" and fixed defect.He received a $20,000 (£15,000) "bug bounty" that the software company awards to ethical hackers who disclose vulnerabilities, which Thales donates to charity.
• Doomscrolling, texting over dinner... Have we reached a higher calling?
Kindles have been stolen before through malicious e-books, including in 2021 by researchers from Realmode Labs and Check Point.
Alan Woodward, professor of cyber security at the University of Surrey, said: "It's a hard attack, it just shows that machines have many ways to access them and everyone needs to be safe, it's like locking the door but leaving the window open.
"These types of bugs go unnoticed for some time because the devices are considered unimportant. But they actually run software and are remotely connected to the back end and have the ability to act as an attack tool. They're often unnoticed devices, often 'Internet of Things' [smart] devices, that suddenly turn out to be secret doors."
• Sheeran's wife and Cruise's height: Alexa is the question of the year
George Loukas, professor of cyber security at the University of Greenwich, said: "There are vulnerabilities shown in Kindle e-books in the past, but this new book is very specific to how audiobooks work so well. It is important to remember how many people listen to audiobooks and how valuable access to their Amazon accounts is."
Amazon said: "We discovered and fixed a vulnerability that affected Kindle e-readers and Audible functionality on these devices. All affected devices have received an automatic update that fixes the issue. We thank our security researchers who help maintain high security standards for our customers."
