According to Forbes, at the Black Hat Europe 2025 hacker conference in London, cybersecurity researcher Valentino Ricotta from Thales demonstrated critical vulnerabilities in Amazon Kindle software. By creating a malicious audiobook file, he exploited a memory error to steal Amazon session cookies, granting full access to a user’s Amazon account without a password. Chaining this with a second flaw in the onscreen keyboard, he gained complete control of the Kindle device itself. Amazon was notified beforehand, paid Ricotta a $20,000 bug bounty, and has since issued automatic patches to all affected Kindles. However, in an update from December 16, expert Javvad Malik warns that scammers are now exploiting fears of this hack with fake “Amazon fraud department” phone calls to steal credentials and money.
Why this Kindle hack was so clever
Look, phishing for Amazon logins is old news. But this? This is next-level. Ricotta didn’t trick a person; he tricked the device’s own trusted systems. The attack vector—a manipulated audiobook—is genius because it exploits something you’d want to download. The Kindle parses the file, the malicious code triggers, and bam, it leaks the golden ticket: your Amazon session cookies.
And here’s the thing about session cookies. They’re like an all-access backstage pass your device holds after you log in. Steal those, and the hacker doesn’t need your password or 2FA. They’re just… in. The second vulnerability, in the privileged onscreen keyboard, was the coup de grâce for total device control. It’s a stark reminder that even single-purpose devices like e-readers are complex computers with sprawling attack surfaces.
The real fallout is in the phishing
So the technical flaw is patched. Great. But the real-world impact is just heating up. Malik’s warning about scam calls is the predictable, ugly next chapter. Hackers read headlines too. They see “Critical Amazon Kindle Hack” and think, “Perfect. A fresh fear to weaponize.”
Now you get a panicked call from “Amazon Fraud.” They say your account was breached via a Kindle exploit. Sounds credible, right? The urgency they create is the weapon. They’ll try to get you to install remote access software, give up credentials, or even transfer money. It’s social engineering 101, but it works because it preys on genuine, newly-publicized anxiety. Amazon’s official advice is your best defense here—never trust an inbound call like that.
Who wins and loses here?
In the immediate sense, Amazon comes out looking… okay? They fixed the bugs before public disclosure and paid the bounty. Their automated patch system worked. That’s the textbook response. But it’s another dent in the myth of walled-garden security. If a dedicated e-reader can be a backdoor to your entire retail and cloud account, it makes you question everything connected.
The clear winners are the ethical hackers like Ricotta and the bug bounty ecosystem. A $20,000 payout for critical research is a good incentive. The losers, as always, are everyday users who now have to be skeptical of everything—even a phone call about a fixed vulnerability. It also highlights how in our interconnected tech world, a weakness in a niche device (like a Kindle) can threaten a core account (like Amazon). The security chain is only as strong as its weirdest link.
