Many electronic reading (e-reading) systems that support the open EPUB format have significant security vulnerabilities, new research shows.
The EPUB format relies primarily on XHTML and CSS (Cascading Style Sheets) to construct e-books, with browser engines often used to render their contents. However, say according to a team of researchers, this gives e-book reading systems similar vulnerabilities to web browsers.
According to a research paper (PDF) Gertjan Franken, Tom Van Goethem and Wouter Joosen of the imec-DistriNet Research Group, almost none of the JavaScript-supporting reading systems they looked at properly adhered to the EPUB specification’s security recommendations.
Plot twist
Using a semi-automated testbed, available on GitHub, the researchers found that 16 of the 97 systems examined allowed an EPUB to leak information about the user’s file system, and in eight cases extract file contents.
Attackers, they warn, could achieve a full compromise of a user’s system by exploiting specific aspects of the reading systems’ implementation.
“Of course, the significance depends on the platform that is used; e-readers generally won’t contain sensitive files, while smartphones could contain private pictures,” Franken tells told The Daily Swig.
Millions of users could potentially be affected.
The team also carried out a manual evaluation of the most popular EPUB reading applications on Amazon Kindle, Apple Books and the EPUBReader browser extension – and found a number of flaws.
“For instance, the Amazon Kindle does not allow an EPUB to execute embedded JavaScript. Nevertheless, this can be circumvented by a creative attacker through an input validation issue,” says Franken explained.
“The embedded scripts could then exploit a publicly known vulnerability of the Kindle’s outdated web engine to gain access to documents in the user’s library.”
Coordinated disclosure
Flaws were also found in Apple Books, available pre-installed on macOS, and in the Windows version of Adobe Digital Editions.
“Fortunately, the developers of Amazon, Apple and Adobe were very responsive to our bug reports and were eager to fix the issues,” says Franken reports.
The researchers argue that EPUB’s security requirements should be tightened up, in particular by requiring specific users consent for JavaScript execution.
“Secondly, we argue that practical guidelines on how to handle the security and privacy aspects of developing a EPUB reading application would greatly aid developers,” says Franken concluded.
“Ideally, this would include guidelines on how to correctly configure popular browser engines, such that important security policies prevent an EPUB from gaining too much [many] privileges.”
Franken added that the researchers have shared their findings with one of the editors of the EPUB standard, who acknowledged the issues.
