Security researchers at imec-DistriNet Research Group have discovered the vulnerabilities in e-book reading systems that allow hackers to exploit the user’s system by targeting the specific aspects of the electronic publication (EPUB).
Security researchers Gertjan Franken, Tom Van Goethem, and Wouter Joosen published a research paper that reads that e-book reading systems have similar flaws to web browsers. The electronic publication (EPUB) format depends primarily on XHTML and CSS (Cascading Style Sheets) to design e-books, with browser engines often used to render their contents.
Unfortunately, none of the e-book reading systems researchers properly followed the EPUB specification’s security guidelines. The researchers used the semi-automated testbed to identify that 16 of the 97 systems allowed an EPUB to leak information about the user’s file system, and in eight cases, extract file contents. Researchers warned that hackers could easily achieve full e-book reading systems.
“Of course, the significance depends on the platform that is used; e-readers generally won’t contain sensitive files, while smartphones could contain private pictures,” Franken told The Daily Swig. The team also carried out a manual evaluation of the most popular EPUB reading applications on Amazon Kindle, Apple Books, and the EPUBReader browser extension – and found several flaws.
Vulnerabilities were also discovered in Apple Books, available pre-installed on macOS, and in the Windows version of Adobe Digital Editions.
“Fortunately, the developers of Amazon, Apple, and Adobe were very responsive to our bug reports and were eager to fix the issues. Secondly, we argue that practical guidelines on how to handle the security and privacy aspects of developing a EPUB reading application would greatly aid developers. Ideally, this would include guidelines on how to correctly configure popular browser engines, such that important security policies prevent an EPUB from gaining too much [many] privileges,” Franken concluded.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.