Amazon Kindle Publishing For Blogs Vulnerable To Scams
Security experts find a way to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.
(click image for larger view)
Amazon Kindle DX
Amazon.com on Wednesday rolled out a new service to let bloggers sell Kindle users subscriptions to their blogs, but it forgot to make the service secure.
Amazon Kindle Publishing for Blogs is a self-publishing service through which online publishers can sell subscriptions to their work at prices ranging from 99 cents to $1.99 per month. To get started, publishers submit their contact and payment information through a vendor setup form, and accept Amazon's terms of service.
After that, they can easily make their blogs available through Amazon's Kindle Store.
On Thursday, Josh Fraser, a software engineer and the co-founder of EventVue, discovered that Amazon had neglected to include any technical mechanism to determine whether the person submitting a blog feed to be sold actually owned the content in question. It's thus a simple matter to submit a blog authored by someone else and collect the 30% subscription fee royalty that Amazon pays.
That may not be the most lucrative scam in the world, but it's nonetheless free money.
"The interesting thing about this vulnerability is that there are already accepted methods in place for verifying that someone owns a domain name," Fraser said in a blog post. "I understand that Amazon may have wanted to remove the friction from getting people started, but this stuff matters too much to get wrong -- especially when there is a large audience and money to be gained."
Fraser suggests that Amazon do as Google does: establish ownership by requiring the insertion of a meta tag on one's blog page or the placement of an authentication file on one's Web server.
Asked whether it was aware of the vulnerability and how it planned to address it, Amazon acknowledged the issue but provided no clear plan for remediation.
"Kindle Publishing for Blogs Beta is a powerful way for bloggers to publish their content to the Kindle community, and we have streamlined the process to help rights holders launch their content as quickly as possible," a company spokesperson said in an e-mail. "Occasionally, people publish material to which they do not have rights, in violation of the Terms and Conditions for Kindle Publishing for Blogs. In these cases we react vigorously to remove unauthorized copyrighted material.
"The listing of a few unauthorized blogs was unfortunate and we have subsequently removed those titles," Amazon's spokesperson said.
Unless some mechanism is put in place to prevent unauthorized blog claims, Amazon may find itself removing those titles repeatedly.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."