Thread: [Kindle Touch] Scriptable browser plugin included in 5.1.0
View Single Post
Old 05-27-2012, 11:31 AM   #10
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by ixtab View Post
@eureka: Great job!

As this is a HUGE security issue, I expect this to be fixed with the next Firmware release. I'd bet my money that Amazon starts fixing this as soon as they read this thread.
Or just stop running the browser (and nearly everything else) as 'root'.

One "common" practice is to make the browser suid and the user id as "nobody" (with "nobody" not having any privledges of any kind).

Not sure if the Kindle's have such a user already setup, but somebody with time on their hands might check this out for us.
knc1 is offline   Reply With Quote