Mobile // Mobile Devices
04:33 PM
Connect Directly
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Amazon Kindle Publishing For Blogs Vulnerable To Scams

Security experts find a way to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.

Amazon Kindle DX
(click image for larger view)
Amazon Kindle DX on Wednesday rolled out a new service to let bloggers sell Kindle users subscriptions to their blogs, but it forgot to make the service secure.

Amazon Kindle Publishing for Blogs is a self-publishing service through which online publishers can sell subscriptions to their work at prices ranging from 99 cents to $1.99 per month. To get started, publishers submit their contact and payment information through a vendor setup form, and accept Amazon's terms of service.

After that, they can easily make their blogs available through Amazon's Kindle Store.

On Thursday, Josh Fraser, a software engineer and the co-founder of EventVue, discovered that Amazon had neglected to include any technical mechanism to determine whether the person submitting a blog feed to be sold actually owned the content in question. It's thus a simple matter to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.

That may not be the most lucrative scam in the world, but it's nonetheless free money.

"The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name," Fraser said in a blog post. "I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong -- especially when there is a large audience and money to be gained."

Fraser suggests that Amazon do as Google does: establish ownership by requiring the insertion of a meta tag on one's blog page or the placement of an authentication file on one's Web server.

Asked whether it was aware of the vulnerability and how it planned to address it, Amazon acknowledged the issue but provided no clear plan for remediation.

"Kindle Publishing for Blogs Beta is a powerful way for bloggers to publish their content to the Kindle community, and we have streamlined the process to help rights holders launch their content as quickly as possible," a company spokesperson said in an e-mail. "Occasionally, people publish material to which they do not have rights, in violation of the Terms and Conditions for Kindle Publishing for Blogs. In these cases we react vigorously to remove unauthorized copyrighted material.

"The listing of a few unauthorized blogs was unfortunate and we have subsequently removed those titles," Amazon's spokesperson said.

Unless some mechanism is put in place to prevent unauthorized blog claims, Amazon may find itself removing those titles repeatedly.

Attend a Webcast on protecting your company and customer data. It happens May 20. Find out more and register.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.