MobileRead Forums - View Single Post - Now it can be told

bulltricks · 02-12-2024, 06:55 PM

So after many months, I can start talking about how XSS mattered on the Kindle.

I should clarify, before people get excited - this has been reported to Amazon, and finally marked as Resolved - so don't expect this to work on 5.16.6!

Prior to the recent move away from Webkit, the web-browser app would render certain things by setting "innerHTML"

A couple of things make this a rather big problem:

Captive portals bring up the browser without asking
Getting access to innerHTML gave access to the "kindle" namespace ...
The 'kindle' namespace can send messages to Pillow

The pillow messages are intended as safe.. Except, unsurprisingly, Pillow also allowed access to 'innerHTML' in certain cases.

Finally, Pillow's javascript has access to full 'nativeBridge' - and once you have access to 'nativeBridge', you can get shell access, at least if you don't overwrite the wrong file...

This is dangerous because it's conceivable that this can happen without any user interaction (although my proofs-of-concept were slow enough that users know the device is being compromised, but there isn't much that can be done)

I'm posting this in hopes that the community will do a fix, at least for the browser cases.

02-12-2024, 06:55 PM	#1
bulltricks Enthusiast Posts: 29 Karma: 100000 Join Date: May 2023 Device: Kindle family	Now it can be told - XSS on the Kindle browser So after many months, I can start talking about how XSS mattered on the Kindle. I should clarify, before people get excited - this has been reported to Amazon, and finally marked as Resolved - so don't expect this to work on 5.16.6! Prior to the recent move away from Webkit, the web-browser app would render certain things by setting "innerHTML" A couple of things make this a rather big problem: Captive portals bring up the browser without asking Getting access to innerHTML gave access to the "kindle" namespace ... The 'kindle' namespace can send messages to Pillow The pillow messages are intended as safe.. Except, unsurprisingly, Pillow also allowed access to 'innerHTML' in certain cases. Finally, Pillow's javascript has access to full 'nativeBridge' - and once you have access to 'nativeBridge', you can get shell access, at least if you don't overwrite the wrong file... This is dangerous because it's conceivable that this can happen without any user interaction (although my proofs-of-concept were slow enough that users know the device is being compromised, but there isn't much that can be done) I'm posting this in hopes that the community will do a fix, at least for the browser cases. Last edited by bulltricks; 02-12-2024 at 08:04 PM.