From the “I can’t make this shit up” files comes a boneheaded revelation about Adobe’s Digital Editions 4, their epub app. Nate Hoffelder over on The Digital Reader blogged about verifying this privacy breach. The software is scraping info about the ebooks a customer reads, how they read it, in addition to other ebooks on the customer’s hard drive, and sending it back to Adobe’s servers.
Via UNENCRYPTED CLEAR TEXT. (Meaning anyone can siphon it off.)
EDIT: ArsTechnica has independently verified it.
EDIT 2: Adobe confirmed it.
Why, beyond the obvious WTF of the privacy violation (and possible breaking of privacy laws in some locations) is this important?
Because in that article he also references an Amazon vulnerability, that was closed, opened again when Amazon made a site update, and then subsequently closed again, making it possible for hackers to take control of a user’s Amazon account simply by them downloading an infected ebook.
Now, why is THAT important, you might ask? Especially if they closed the hole?
Well, they closed it once, then stupidly opened it again, for starters. This was also reported on TechCrunch.
And if you think, well, that doesn’t effect me, because I use Calibre, think again, buddy. There have been vulnerabilities discovered in the past that have impacted Calibre, too.
What is the tl;dr of this?
If you get ebooks from unreliable sources (file sharing sites) then basically, you have no idea what you’re getting. Hackers are getting smarter with every new tech update that comes out, every new gadget. Hell, even with a book that SHOULD be “safe” read in Adobe Digital Editions, your privacy is at risk.
Keep in mind, you are not locked into buying content only from the device manufacturer’s ebook store. You can get files that will work on your device or app (or convert them) with software like Calibre. But don’t risk your privacy and financial information by doing something like getting “free” files from sharing sites, or buying from “discount” (ie pirate) sites. (In that case, you’re giving your financial information over to thieves in exchange for saving some bucks and screwing writers out of their royalties all at the same time, so good luck with that.)
Get your books from the main ebook stores, or get your ebooks directly from publishers, or authors selling their own books via their own sites, or local public library lending programs, or via SAFE sites like Project Gutenberg.
But if you’re just getting your ebooks from anywhere and assuming they’re safe because they’re “just” ebooks? Think again. They’re not. These current hacks might not seem like a big deal, but as more and more people start converting to ebooks, hackers will start looking for more ways to get a toehold into your devices via malicious code embedded in ebooks.
And help signal boost the WTFery that Adobe is up to, so we can get them to stop spying on people.