In recent years, global e-book sales have shot through the roof and e-book reading applications have sprouted like mushrooms. EPUB, the most popular open e-book format, is supported by free applications on virtually any device, ranging from desktops to smartphones. But how sure are we that these e-books aren't actually reading us?
To answer this question, we analyzed 97 free EPUB reading applications across seven platforms and five physical e-readers using a self-developed semi-automated testbed. It turns out that half of these applications are not compliant with the security recommendations of the EPUB specification. For instance, a malicious e-book is able to leak local file system information in 16 of the evaluated applications.
To further demonstrate the severity of these results, we also performed three case studies in which we manually exploited the most popular application on three different platforms (e.g. Amazon Kindle, Apple Books, and EPUBReader for Chrome and Firefox). Moreover, we demonstrate that distributing malicious e-books through official e-book vendors is very much feasible through self-publishing.