Security Experts Unearthed the Flaws in EPUB Similar to Web Browsers
Security researchers at imec-DistriNet Research Group have discovered the vulnerabilities in e-book reading systems that allow hackers to exploit the user’s system by targeting the specific aspects of the electronic publication (EPUB).
Security researchers Gertjan Franken, Tom Van Goethem, and Wouter Joosen published a research paper that reads that e-book reading systems have similar flaws to web browsers. The electronic publication (EPUB) format depends primarily on XHTML and CSS (Cascading Style Sheets) to design e-books, with browser engines often used to render their contents.
Unfortunately, none of the e-book reading systems researchers properly followed the EPUB specification’s security guidelines. The researchers used the semi-automated testbed to identify that 16 of the 97 systems allowed an EPUB to leak information about the user’s file system, and in eight cases, extract file contents. Researchers warned that hackers could easily achieve full e-book reading systems.
“Of course, the significance depends on the platform that is used; e-readers generally won’t contain sensitive files, while smartphones could contain private pictures,” Franken told The Daily Swig. The team also carried out a manual evaluation of the most popular EPUB reading applications on Amazon Kindle, Apple Books, and the EPUBReader browser extension – and found several flaws.
“For instance, the Amazon Kindle does not allow an EPUB to execute embedded JavaScript. Nevertheless, this can be circumvented by a creative attacker through an input validation issue. The embedded scripts could then exploit a publicly known vulnerability of the Kindle’s outdated web engine to gain access to documents in the user’s library. The embedded scripts could then exploit a publicly known vulnerability of the Kindle’s outdated web engine to gain access to documents in the user’s library,” Franken explained.
Vulnerabilities were also discovered in Apple Books, available pre-installed on macOS, and in the Windows version of Adobe Digital Editions.
“Fortunately, the developers of Amazon, Apple, and Adobe were very responsive to our bug reports and were eager to fix the issues. Secondly, we argue that practical guidelines on how to handle the security and privacy aspects of developing a EPUB reading application would greatly aid developers. Ideally, this would include guidelines on how to correctly configure popular browser engines, such that important security policies prevent an EPUB from gaining too much [many] privileges,” Franken concluded.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
