All you need to know about the Amazon Kindle security hack.
SOPA Images/LightRocket via Getty Images
Updated December 16 with news of another warning for Amazon users as hackers take advantage of fears surrounding accounts being hacked, and a statement from Amazon, alongside the original reporting on critical Kindle security vulnerabilities as demonstrated at the Black Hat Europe hacker convention.
Amazon users are always a prime target for hackers, every pun intended, although it is usually phishing attacks that make the headlines. But what if I were to tell you that your Kindle could be used to gain full access to your Amazon account through a malicious book download? Here’s everything you need to know about the critical Amazon Kindle hack that has been demonstrated at the Black Hat Europe hacker convention in London.
ForbesFBI Confirms 630 Million Stolen Passwords — How To Check Yours NowBy Davey WinderHacker Creates Malicious Book To Access Amazon Accounts
There is never a shortage of security surprises at the Black Hat Europe hacking conference, and the 2025 London-based event proved to be no exception. A cybersecurity researcher demonstrated how it was possible to access an Amazon account using critical vulnerabilities uncovered in the Kindle. What’s more, and the real surprise, it took nothing more than a malicious book download loaded onto the ebook reader.
Valentino Ricotta, an engineering analyst at defense and security company Thales, discovered critical vulnerabilities in Kindle software. Specifically involving the onscreen keyboard and audiobook processing elements. The vulnerabilities enabled Ricotta to access Amazon session cookies, which provide access to an already authenticated account session without requiring any additional password or authentication input.
The hacker analyzed the custom Amazon Kindle parsing code for Audible books and found a memory error that could be used to trigger the attack if malicious code was included within a manipulated audiobook download.
Once triggered, enough access was achieved to steal the all-important Amazon session cookies, and, as reported by Cybernews, Ricotta demonstrated how this gave access to the associated Amazon account, live on the Black Hat Europe stage. By then chaining this with a second critical vulnerability, this time impacting the onscreen keyboard, which ran with enough privileges but not enough access control, to gain complete control over the Kindle using another malicious file.
Forbes‘Users Must Choose’—Microsoft Confirms New Windows Security FeatureBy Davey WinderAnother Amazon Security Warning As Account Takeover Fears Exploited
A well-known cybersecurity expert, Javvad Malik from KnowBe4 , has warned Amazon users to be vigilant and stay alert, as a surge of phishing attacks exploiting fears of Amazon account hacker attacks has been observed. This type of scam is nothing new, of course, and cybercriminals will naturally look to play on the fact that this is a peak consumer shopping period. Paused Payment PayPal attacks, have been confirmed, and 300 million Amazon users were at risk across the recent Black Friday sales. Now it’s those Amazon users who are back in the spotlight as Malik warned of a complex, multi-layered attack that starts with a phone call from someone supposedly from the Amazon fraud department. They are no such thing, but it can be very convincing when the recipient is rushed, stressed and then told that their Amazon account has been hacked. The hacker can take advantage in many ways, from using remote-access apps to take control of the victim’s device, the compromise of Amazon account credentials, or even a transfer of funds, in order to somehow solve the issue.
“On the face of it, this scam is quite alarming as no one wants to be on the hook for purchasing multiple expensive items such as iPhones; and therefore, emotions will be high and urgency to make the problem go away will start to take over people’s more rational sides,” Malik said.
Be sure to get up to date with impersonation scam attacks by checking out Amazon’s advice on the matter.
ForbesNew PayPal Email Warning—Beware This Paused Payment AttackBy Davey WinderAll Affected Kindles Devices Have Received Automatic Patches, Amazon Said
The good news is that this was a responsible hacker, one who has even competed at Pwn2Own, and Ricotta disclosed the vulnerabilities to Amazon which fixed them before the demonstration. Ricotta was awarded a critical bug bounty payment of $20,000 by Amazon.
I approached Amazon for a statement and a spokesperson told me: “We identified and fixed vulnerabilities affecting Kindle E-readers and the Audible functionality on these devices. All affected devices have received automatic updates addressing these issues. We appreciate the security researchers who help us maintain high security standards for our customers.”