Nightwatch Security
Amazon's Silk Internet browser contained a serious bug which not only ignored SSL security standards in Google searches but prevented redirection to the secure version of the search engine.
The Google Chrome-based Silk browser, loaded with Amazon Kindle tablets, was set up without Secure Sockets Layer (SSL) technology -- which encrypts communication between servers and web browsers -- and also prevented automatic redirections to Google's SSL version of the tech giant's search engine.
This security problem left user connections unencrypted and potentially open to man-in-the-middle (MitM) attacks and snooping.
On Monday, Nightwatch Security revealed its findings in a public security disclosure . The company's security team said the browser, which allows users to choose between Google, Bing and Yahoo for search results, does not connect using SSL if Google is selected.
"All searches via the browser's omnibox are done without HTTPS resulting in ability of malicious third parties to monitor user's search engine traffic," the team says.
"Furthermore, going to 'http://www.google.com' which normally would redirect to the SSL version, stayed in HTTP mode and prevented redirection. All other Google international domains (like google.ru, google.fr, etc) automatically redirected to the SSL versions."
Nightwatch security verified the problem existed on v.49.3.1, and the problem was fixed in the Silk browser version 51.2.1.
Amazon and Google were notified of the security issue on 1 May 2016. A day later, the Nightwatch security team received a generic response from Amazon, and a fix was issued and verified in July before public disclosure. A CVE assignment for the security flaw is pending.
Users of Amazon's Kindle range should update their devices to the newest version of the Silk browser.
This is not the only problem Amazon has faced in relation to the security of the Silk browser. Security concerns were raised back in 2011 , as at launch, the company stated that the Amazon Elastic Compute Cloud (EC2) would be utilized as a proxy for all web activity running through the browser.
In other words, all online activity and website visitors passing through Silk would actually be EC2 copies of websites. The system cuts down on power requirement and can result in faster speeds, but is not going to be to everyone's taste.