Discovering Flaws in EPUB Studying Methods

Finding Flaws in EPUB Reading Systems

How safe is your e-reader? A group of safety researchers curious to discover e-book safety analyzed free EPUB studying purposes and bodily e-readers and located that many apps do not adjust to safety suggestions, and a few widespread purposes are susceptible to exploitation.

Gertjan Franken and Tom Van Goethem are doctoral college students with imec-DistriNet at KU Leuven in Belgium. Their venture started when Franken was excited about his personal e-reader and the way e-books are rendered. Some preliminary studying revealed the topic space shared commonalities with different subjects they have been exploring as a part of their Ph.D. program, in order that they determined to dig into it.

“I mentioned with Tom, and we shortly found that loads of these purposes aren’t really as safe as they need to be,” Franken says in an interview with Darkish Studying.

Their investigation consisted of a large-scale research through which they analyzed 97 free EPUB studying purposes throughout seven platforms, in addition to 5 bodily e-readers.

“Earlier than, there was probably not that a lot current analysis on the safety of e-book studying programs,” Van Goethem says. “We needed to discover the best way we wished to judge these studying programs from scratch.”

The group analyzed the EPUB purposes utilizing a semi-automated framework they constructed. They discovered half of the purposes weren’t compliant with safety suggestions of the EPUB specification. For instance, a malicious e-book can leak native file system info in 16 of the purposes they evaluated.

Whereas semi-automation helped pace issues up, Franken notes it additionally let some vulnerabilities slip via the cracks. When an attacker chooses a goal, he says, they analyze an utility themselves. Because of this, the group determined so as to add handbook analysis to their analysis.

“I additionally assume that is the extra fascinating half … we discovered some fascinating vulnerabilities there,” Franken provides.

To show the severity of their outcomes, Franken and Van Goethem carried out three case research through which they manually exploited the most well-liked utility on three platforms: Amazon Kindle, Apple Books, and the browser extension EPUBReader for Chrome and Firefox.

One of many flaws with the most important affect was within the browser extension, Van Goethem notes. A bug he says is hard to take advantage of may let an attacker entry info on different websites the goal is logged onto, if the sufferer uploads a malicious EPUB utility to the extension. He says they contacted the writer of the appliance, although it is unclear if a patch will probably be launched.

Classes Discovered
One of many key takeaways from this research was the significance of getting automation proper, says Franken. They wished to make the analysis as seamless as attainable, however this was tough for the EPUB purposes as a result of their interfaces are fairly totally different, he explains. Ironing out the problems with automation was essentially the most difficult side of the venture to date, he says.

The sheer dimension of the research was one other problem, provides Van Goethem. As a result of they’re in educational analysis, their foremost purpose usually is to totally perceive a whole ecosystem. This implies once they conduct a research, it is sometimes at a big scale to incorporate as a lot of the ecosystem as attainable.

“That is why we did not simply analyze the e-reading programs themselves, however we additionally tried to gather a really massive set of EPUBs from the wild,” he says. The group downloaded totally different torrents, and obtained EPUBs in methods different customers may attempt to receive them, and analyzed these to see if there was any malicious exercise.

Fortuitously, he says, they did not discover any ongoing assaults however given their findings, it appears this is perhaps an space for attackers to probably transfer into sooner or later.

Franken and Van Goethem will current their analysis at Black Hat Europe in an upcoming discuss entitled “How Your E-book Would possibly Be Studying You: Exploiting EPUB Studying Methods.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts