Amazon Kindle Publishing For Blogs Vulnerable To Scams - InformationWeek
IoT
IoT
Mobile // Mobile Devices
News
5/15/2009
04:33 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
Threat Intelligence Overload?
Aug 23, 2017
A wide range of threat intelligence feeds and services have cropped up keep IT organizations up to ...Read More>>

Amazon Kindle Publishing For Blogs Vulnerable To Scams

Security experts find a way to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.

Amazon Kindle DX
(click image for larger view)
Amazon Kindle DX

Amazon.com on Wednesday rolled out a new service to let bloggers sell Kindle users subscriptions to their blogs, but it forgot to make the service secure.

Amazon Kindle Publishing for Blogs is a self-publishing service through which online publishers can sell subscriptions to their work at prices ranging from 99 cents to $1.99 per month. To get started, publishers submit their contact and payment information through a vendor setup form, and accept Amazon's terms of service.

After that, they can easily make their blogs available through Amazon's Kindle Store.

On Thursday, Josh Fraser, a software engineer and the co-founder of EventVue, discovered that Amazon had neglected to include any technical mechanism to determine whether the person submitting a blog feed to be sold actually owned the content in question. It's thus a simple matter to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.

That may not be the most lucrative scam in the world, but it's nonetheless free money.

"The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name," Fraser said in a blog post. "I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong -- especially when there is a large audience and money to be gained."

Fraser suggests that Amazon do as Google does: establish ownership by requiring the insertion of a meta tag on one's blog page or the placement of an authentication file on one's Web server.

Asked whether it was aware of the vulnerability and how it planned to address it, Amazon acknowledged the issue but provided no clear plan for remediation.

"Kindle Publishing for Blogs Beta is a powerful way for bloggers to publish their content to the Kindle community, and we have streamlined the process to help rights holders launch their content as quickly as possible," a company spokesperson said in an e-mail. "Occasionally, people publish material to which they do not have rights, in violation of the Terms and Conditions for Kindle Publishing for Blogs. In these cases we react vigorously to remove unauthorized copyrighted material.

"The listing of a few unauthorized blogs was unfortunate and we have subsequently removed those titles," Amazon's spokesperson said.

Unless some mechanism is put in place to prevent unauthorized blog claims, Amazon may find itself removing those titles repeatedly.


Attend a Webcast on protecting your company and customer data. It happens May 20. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll