This guy found out that most of the GUI is HTML and Javascript. Some of the JS functions are mapped to OS calls, including one that will run any script as root (nativeBridge.dbgCmd();). This function is disabled in the browser, so it needs to be called from somewhere else.
So he injects the function call into the ID3 tag of an MP3 file and plays the file on the native mp3 player which has a html gui for displaying the id3 tag info :)
Finally he uses this exploit to enable ssh and install a certificate so he can connect to it.
I believe this is technically local code execution, not remote. It's not like you can do this unless you have access to the device (the browser apparently doesn't allow it, and I can't imagine you can remotely make the device play an MP3).
It's clear that Amazon did think about XSS -- in the context of the browser. The debugCmd isn't available there.
It's also clear that tney didn't think about all the other potential interactions with the system. It's not the things you don't know that bite you -- it's the thing you know that isn't so.
I don't think Amazon has that much of a problem with the jailbreaks. I can't see how they would loose any money with it, and who uses them, knows that he can potentially brick the device.
I guess, this would mean that a user can remove the ads from the ad-supported Kindle and save $40. This would mean that Amazon loses almost 30% in revenue each time they sell a Kindle Touch that is to be jailbroken.
The ads are so good that I'd choose an ad-supported kindle over an ad-free one at the same price point. Virtually all my shopping, aside from perishable foods, can be done at Amazon.com -- I've bought toilet paper, ketchup, packing supplies, cereal, etc. there -- that the offers will probably pay for the device.
I suspect the vast majority of customers don't care about the ads, and wouldn't expect them to pay to remove them in the first place.
As far as ad-supported services go, the Kindle is actually quite good - totally unobtrusive, and you actually get some good offers, things like $5 off a $10 purchase.
Although the other "special offer" kindles have been jailbroken for some time, the kindle hacking community seems to be doing a good job of refusing to (at least for the relative layman) disable advertisements on them or enable any sort of tethering over 3g.
You must have a certain website or subset of the community in mind. I actually got a Kindle 3 a couple months ago and the majority of the discussion that I could find about homebrew on the device was centered around removing the ads. I browsed 4 or 5 forums before deciding it was a lost cause.
In fact, I wasn't even really able to find anything other than removing the ads and changing the screensaver as what you can do after your kindle is jailbroken.
whether they are looking the other way on jailbreaks or not, this sounds like a rather serious security problem. it's nice that i can run my own code on the device, but that also means that any mp3 files i download off the internet can run other, potentially malicious code.
Thankfully, this is the Kindle Touch, not the Kindle Fire. I"m guessing maybe 1% of people will use their Kindle Touch as an MP3 player, so this is mostly positive news - A jailbreak vector with little damage seen in the wild - the potential is their, it's just unlikely to be leveraged.
As I see it, Amazon does have an interest in users not jailbreaking or bricking devices. They sell the devices at around cost to sell content. If a user jailbreaks a device, Amazon loses the tight control on where the content comes from, and if a user bricks a device, Amazon sells no content for that device at all.
Yes, I do use a Kindle. All content I read on it was from Amazon. I know I can get content from somewhere else, but it will never be as convenient as getting it from Amazon.
You or others may be interested in the "Magic Catalog" for Project Gutenberg. It's basically an ebook that you put onto your kindle that is a catalog of all the books on Project Gutenberg. You select any that you want and it automagically grabs them for you.
After the initial effort investment (not that hard, since you can download it with the kindle's browser), I would say it's actually easier.
It's almost as convenient. You just have to download the file, and email it at your @(free.)kindle.com address. No cables, no big and heavy Java app to do file conversion, nothing.
FWIW, I noticed some images loading in the description overlay in a podcast I was listening to on my iPhone. So, it looks like iOS devices render HTML content in ID3 tags.
I've been meaning to explore whether they run JavaScript too but haven't gotten around to it yet.
As a summary:
This guy found out that most of the GUI is HTML and Javascript. Some of the JS functions are mapped to OS calls, including one that will run any script as root (nativeBridge.dbgCmd();). This function is disabled in the browser, so it needs to be called from somewhere else.
So he injects the function call into the ID3 tag of an MP3 file and plays the file on the native mp3 player which has a html gui for displaying the id3 tag info :)
Finally he uses this exploit to enable ssh and install a certificate so he can connect to it.