Mobile // Mobile Devices
04:33 PM
Connect Directly
Don't Miss The All Analytics Academy: Analytics for All - A Right Start
Jun 07, 2016
Whether your organization is considering the use of big data and analytics, or has taken its first ...Read More>>

Amazon Kindle Publishing For Blogs Vulnerable To Scams

Security experts find a way to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.

Amazon Kindle DX
(click image for larger view)
Amazon Kindle DX on Wednesday rolled out a new service to let bloggers sell Kindle users subscriptions to their blogs, but it forgot to make the service secure.

Amazon Kindle Publishing for Blogs is a self-publishing service through which online publishers can sell subscriptions to their work at prices ranging from 99 cents to $1.99 per month. To get started, publishers submit their contact and payment information through a vendor setup form, and accept Amazon's terms of service.

After that, they can easily make their blogs available through Amazon's Kindle Store.

On Thursday, Josh Fraser, a software engineer and the co-founder of EventVue, discovered that Amazon had neglected to include any technical mechanism to determine whether the person submitting a blog feed to be sold actually owned the content in question. It's thus a simple matter to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.

That may not be the most lucrative scam in the world, but it's nonetheless free money.

"The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name," Fraser said in a blog post. "I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong -- especially when there is a large audience and money to be gained."

Fraser suggests that Amazon do as Google does: establish ownership by requiring the insertion of a meta tag on one's blog page or the placement of an authentication file on one's Web server.

Asked whether it was aware of the vulnerability and how it planned to address it, Amazon acknowledged the issue but provided no clear plan for remediation.

"Kindle Publishing for Blogs Beta is a powerful way for bloggers to publish their content to the Kindle community, and we have streamlined the process to help rights holders launch their content as quickly as possible," a company spokesperson said in an e-mail. "Occasionally, people publish material to which they do not have rights, in violation of the Terms and Conditions for Kindle Publishing for Blogs. In these cases we react vigorously to remove unauthorized copyrighted material.

"The listing of a few unauthorized blogs was unfortunate and we have subsequently removed those titles," Amazon's spokesperson said.

Unless some mechanism is put in place to prevent unauthorized blog claims, Amazon may find itself removing those titles repeatedly.

Attend a Webcast on protecting your company and customer data. It happens May 20. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.