Bug hunter Craig Arendt has reported vulnerabilities in major eBook readers including those from Apple, Google, and Amazon.
The similar but separate XML external entity (XXE) flaws also impact all online epub ebook services that use the popular epubcheck library that ensures good format conversions into the universal epub book format.
"[I] applied a familiar XXE pattern to exploit services and readers that consume the epub format [and exploited] vulnerabilities in EpubCheck, Adobe Digital Editions, Amazon KDP, Apple Transporter, and Google Play Book uploads," Arendt says.
"The validator tool (EpubCheck) was vulnerable to XXE, so any application that relies on a vulnerable version to check the validity of a book would be susceptible to this type of attack."
The named vendors have applied patches preventing the possible information disclosure and denial of service conditions.
Apple's Transporter which ships books to the App Store was also affected.
In one instance Arendt accidentally grabbed the shadow password file for one unnamed service using the vulnerable EpubCheck library.
Google Play Books was not vulnerable to XXE but was to the XML exponential entity expansion mess, a flaw that leads to denial of service through an explosive growth of parsed data.
Other services permit Java and Flash, and as a result likely more brutal exploits. Arendt says he will disclose further attacks once the vendors have issued patches. ®