Sep 16, 2014 · 2 minutes

If there's anything a small segment of the tech-using population hates, it's being forced to shop from a single marketplace. These people whine about "walled gardens" and "the tight shackles of modern consumerism" and other such malarkey. Often, they find ways to avoid these restrictions on where they can shop around for applications, videos, games, and many other digital goods.

Sometimes this works out fine. If people are careful about who they trust, there's nothing wrong with finding something from an unsanctioned marketplace, so long as that "thing" was purchased instead of pirated. That's where the problems like attackers getting access to your Amazon account -- which bears your address, and credit card information -- come in.

A researcher has found that hackers can do just that by exploiting a vulnerability in Amazon's "Manage your Kindle" page. Unfortunately, this isn't the first time the researcher, Benjamin Daniel Mussler, has discovered this bug.  As he writes in a blog post detailing the problem,

When I first reported this vulnerability to Amazon in November 2013, my initial Proof of Concept, a MOBI e-book with a title similar to the one mentioned above, contained code to collect cookies and send them to me. Interestingly, Amazon's Information Security team continued to use this PoC on internal preproduction systems for months after the vulnerability had been fixed. This made it even more surprising that, when rolling out a new version of the "Manage your Kindle" web application, Amazon reintroduced this very vulnerability.

Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed. This is a serious problem... for people who attempt to get digital books that weren't purchased from the Kindle Store onto their Kindles, which is probably a vanishingly small portion of the Kindle-owning population. Everyone else is fine until someone discovers a similar problem in books purchased from Amazon's marketplace -- then it'll be time for more consumers to panic.

Problems like this make the argument for Amazon's and Apple's "walled gardens," which limit their customers to items purchased through their own marketplaces. If this is a problem with books purchased from other stores, or illegally downloaded, wouldn't it be better to trust books that were examined by Amazon, or applications examined by Apple, before being posted to a store?

I understand the issue with being restricted to a single marketplace. I'm also worried that the who-knows-how-many dollars I've spent in the Kindle Store will have gone to waste when Amazon's decision to avoid making a profit finally comes back to bite Jeff Bezos in the ass. I'm not a fan of being told where to buy something, or of the restrictions on where I can use it.

But it should be easier than ever to see why companies are able to convince consumers that their options are limited for their own benefit. Better the devil -- and his marketplace -- you know than the devils (and their malicious code) that you don't.

[photo by Dave Catchpole]