Amazon Kindle Publishing For Blogs Vulnerable To Scams
Security experts find a way to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.
(click image for larger view)
Amazon Kindle DX
Amazon.com on Wednesday rolled out a new service to let bloggers sell Kindle users subscriptions to their blogs, but it forgot to make the service secure.
Amazon Kindle Publishing for Blogs is a self-publishing service through which online publishers can sell subscriptions to their work at prices ranging from 99 cents to $1.99 per month. To get started, publishers submit their contact and payment information through a vendor setup form, and accept Amazon's terms of service.
After that, they can easily make their blogs available through Amazon's Kindle Store.
On Thursday, Josh Fraser, a software engineer and the co-founder of EventVue, discovered that Amazon had neglected to include any technical mechanism to determine whether the person submitting a blog feed to be sold actually owned the content in question. It's thus a simple matter to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.
That may not be the most lucrative scam in the world, but it's nonetheless free money.
"The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name," Fraser said in a blog post. "I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong -- especially when there is a large audience and money to be gained."
Fraser suggests that Amazon do as Google does: establish ownership by requiring the insertion of a meta tag on one's blog page or the placement of an authentication file on one's Web server.
Asked whether it was aware of the vulnerability and how it planned to address it, Amazon acknowledged the issue but provided no clear plan for remediation.
"Kindle Publishing for Blogs Beta is a powerful way for bloggers to publish their content to the Kindle community, and we have streamlined the process to help rights holders launch their content as quickly as possible," a company spokesperson said in an e-mail. "Occasionally, people publish material to which they do not have rights, in violation of the Terms and Conditions for Kindle Publishing for Blogs. In these cases we react vigorously to remove unauthorized copyrighted material.
"The listing of a few unauthorized blogs was unfortunate and we have subsequently removed those titles," Amazon's spokesperson said.
Unless some mechanism is put in place to prevent unauthorized blog claims, Amazon may find itself removing those titles repeatedly.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.