Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacker discovered security flaws in Amazon, Apple and Google epub services

A hacker discovered a XXE flaw in the EpubCheck library that affects major epub services causing information disclosure and denial of service conditions. The security expert and bug hunter Craig Arendt (@craig_arendt) has discovered flaws in major eBook readers including the ones commercialized by Amazon, Apple, and Google. The expert discovered different XML external entity (XXE) […]

Hacker discovered security flaws in Amazon, Apple and Google epub services

A hacker discovered a XXE flaw in the EpubCheck library that affects major epub services causing information disclosure and denial of service conditions.

The security expert and bug hunter Craig Arendt (@craig_arendt) has discovered flaws in major eBook readers including the ones commercialized by Amazon, Apple, and Google.

The expert discovered different XML external entity (XXE) vulnerabilities in the online epub ebook services that use leverages the ‘EpubCheck’ library.  The library is used for the operations of format conversions into the universal Epub book format.

“Applying a familiar XXE pattern to exploit services & readers that consume the ePUB format. Exploiting vulnerabilities in EpubCheck <= 4.0.1 (ePub Validation Java Library & tool), Adobe Digital Editions <= 4.5.2 (book reader), Amazon KDP (Kindle Publishing Online Service), Apple Transporter, and Google Play Book uploads, etc.”

“ePub is a standard format for open books maintained by IDPF (International Digital Publishing Forum). IDPF is a trade and standards association for the digital publishing industry, set up to establish a standard for ebook publishing. Their membership list: http://idpf.org/membership/members” reads a blog post published by Arendt.

The researcher focused its tests the tool/Java library called EpubCheck (provided by IDPF) used to validate books in the ePub format. Publishers perform a validation step using the library to verify that the format is valid and Arendt discovered the XML external entity (XXE) issue.

“The validator tool (EpubCheck) was vulnerable to XXE, so any application that relies on a vulnerable version to check the validity of a book would be susceptible to this type of attack.” continues the analysis.

epub services

Arendt explained that in the case of Amazon, the KDP Kindle file upload service used to help publishers upload their books was affected by an XXE flaw that could be exploited by attackers to steal books and data.

A similar flaw affected the Apple Transporter service that ships books to the App Store.

“Parsing maliciously crafted EPUB may lead to disclosure of user information

Description: An information disclosure issue existed in the parsing of EPUB. This issue was addressed through improved parsing. CVE-2016-7666: Craig Arendt of Stratum Security” state the advisory published by Apple.

Arendt confirmed that during the test he accidentally grabbed the shadow password file for one of the epub services using the vulnerable EpubCheck library.

The Google Play Books service was not affected by the XXE flaw, but the expert discovered the possibility to trigger an XML Entity expansion flaw that could be exploited to cause denial of service through an explosive growth of parsed data.

“The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.” states the advisory published by the Mitre.org.

“If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.”

Similar problems affect other services that permit Java and Flash, Arendt will disclose further attacks once the vendors have fixed the vulnerabilities he reported.

All the vendors above have already applied the necessary security patches to the vulnerable epub services.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – epub services, hacking)