Rewriting the Book on Malicious Attacks

26 September 2014

The majority of the public knows the danger associated with illegal downloads. Whether movies or music, the risk of virus attacks on your computer, mobile or tablet can be devastating. Imagine if hackers could hide malicious code within seemingly normal code, for example within product listings online or even within e-books.

How is it possible?

The XSS (Cross-Site Script) vulnerability is embedded into the files metadata (the information concerned about the data e.g. title, date of creation etc.) or hidden within existing code. Standard security practice is to patch bugs and security holes as soon as they are made aware, however users of Amazon and Ebay may be at risk for 2 completely different reasons, meaning XSS (Cross-Site Script) attacks continue to plague the online marketplace. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, and even steal accounts.


The vulnerability of Javascript and flash content significantly raises the likelihood of hijacking with malicious code, an option available to all users listing their products through Ebay in order to gain popularity among online shoppers.

Users are enticed to particular listings through “too good to be true” offers, e.g. piggy-backing on recent iPhone releases or luxury hardware for low prices.  By integrating malicious code through their product listing themselves, visitors to particular product listings were automatically redirected to a hoax website. By mirroring the image of the official eBay login page, this can cause unsuspecting victims to enter their login details.

By hijacking their account, hackers can spread the code through further postings. And so the cycle continues until Ebay takes action.


Similarly, Amazon have made similar blunders with the most recent update, reopening a flaw previously patched a year before. Targeting illegal e-books, hackers are capable of inserting malicious code inside the metadata of *.mobi and *.awz files which are then distributed illegally.

Targeting Amazons Kindle platforms is key for the success of the attack. In October 2013, the original problem was flagged and patched within days, but recently reintroduced through a “manage your Kindle” application update, allowing direct access to users Amazon account details. Identified by Benjamin Mussler in the first instance received prompt reaction from the Washington based supplier, however once he alerted the company the second time, received no reply. The flaw was then made public after 2 months of vulnerability.

From the users perspective, the native Manage Your Kindle application will forward the user to the Kindle Library web page. The hackers then extract the Amazon account cookies utilised when visiting the site, which are saved locally to verify you are you, saving time and effort through repeated login processes.

While the risk factors are relatively low in this instance, in terms of hacking sophistication. Information held through cookies limit the impact hackers can have, whereby credit card and location information is not stored, potentially ordering a high number of deliveries to an address to max-out credit cards is the worst case scenario. Benjamin Mussler states “users who stick to e-books sold and delivered by Amazon should be safe”. A number of high profile cases have involves similar multinational organisations receiving more devastating attack e.g. eBay (as of 17th September 2014).

By the time of writing the Amazon flaw had successfully been fixed after public announcement. However, reports indicate it the flaw in ebays listings is still live despite the XSS affecting a multitude of product listings, for example taking advantage of the new iPhone 6 and 6 Plus through 5s listings.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission