A recent research states that e-reading systems with support for open EPUB format can be exposed to severe security risks. As many users may remember, this format relies on XHTML and CSS for building e-books, so web browsing engines often use it for content rendering.
According to the report, it is the inherent characteristics of this format that represent a severe risk linked to the use of e-books in web browsers.
The investigation was conducted by imec-DistriNet Research Group, whose experts found that almost none of the JavaScript-compatible reading systems analyzed adequately adhere to the security recommendations for the EPUB format specification.
During the analysis, the researchers used a semi-automated testing framework available on GitHub and found that 16 of the 97 systems analyzed allowed the leakage of file system information from an EPUB; in eight of these cases, the contents of the file were even allowed to be extracted. A threat actor could fully access the affected system by exploiting some specific features in the implementation of the read systems.
While the severity of an attack depends on the platform used and the type of information stored, millions of users could be affected by these attacks.
The researchers also conducted a manual evaluation of the most popular EPUB reading applications on Amazon Kindle, Apple Books, and the EPUBReader browser extension, which also led to the finding of multiple security weaknesses: “Most of the security measures on these readers can be evaded by abusing an input validation flaw.” , the experts add.
Regular users of e-books may be the most surprised, but experts also found multiple flaws in Apple Books, which comes pre-installed on macOS, as well as security issues in the Windows version of Adobe Digital Editios. These issues were presented to the developers of the aforementioned tools and are expected to be corrected soon.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.