Originally published by Robert Beisert at fortcollinsprogram.robert-beisert.com

What We Can Learn from Amazon’s Kindle Unlimited Exploit

Best thing ever: discovering an exploit that no one else has found (so far as you know).

Worst thing ever: being exploited.

Runner up: Learning about a beautiful exploit AFTER the company has implemented measures to stop it.

I was recently exposed to an excellent blog post about an exploit of the Kindle Unlimited system. For those of you who aren’t self-publishing through Amazon, the Kindle Unlimited program allows authors to put their books into a library-esque pool, which subscribers can read for free. At the end of the period, authors are paid based on how many pages of their books were read in comparison to all the others.

There are thousands of books in the Kindle Unlimited library. There are only a few million dollars in the pool. The most money goes to the author who has the most “pages read” during the period.

Exploit

The exploit is simple and elegant: Amazon cannot track how many pages you have actually read. The “pages read” metric is based on the furthest page you have reached, not anything else. Therefore, it is possible for an author to put a hyperlink at the front of a 3000 page book, which links to the very back. In seconds, they have 3000 pages read, putting them in the running for a lot of moolah.

Of course, Amazon is getting better at catching and punishing anything that even looks like this exploit. The author linked above was penalized for putting a link to her actual book (which starts at the halfway mark) at the front, so that her readers didn’t have to read the bonus story if they didn’t want to.

Analysis

What can we learn from this simple exploit, which reportedly earned a few teenagers tens of thousands of dollars before they were shut down?

FIRST, we see the most common source of exploits – the programmer got lazy and/or made a mistake. In this case, the programmers erroneously refer to “furthest page reached” as “pages read”. Those who followed after relied on the concept of “pages read” to build their payment distribution algorithm, not realizing that it couldn’t actually track which pages were legitimately read. One mistake snowballed to produce an exploit of the system.

SECOND, we see how exploits are often discovered – a user makes an observation. Of course, for programs like Google Chrome, the user generally has to go looking for viable exploit materials, but often enough exploits can be discovered by the average user. In this case, a few kids (and adults) followed a link to the back of the book, only to realize that the system claimed they read the whole thing. This observation begat an idea, which begat a very effective scam.

THIRD, we see how post-discovery mitigation tends to penalize the average user. In video gaming, rampant piracy led to built-in DRM, which led eventually to Always-On DRM. This means that every user (even the innocent, law-abiding citizens) must be online at all times in order for the game to work. In the Amazon case, the author linked above was warned that punishments would follow if she did not restructure her work.

Unfortunately, it’s very difficult to develop a better response than Amazon has employed. Ideally the solution would fix the bug without affecting users, but the framework does not exist for Amazon to patch all of their e-readers and apps, at least not right now. The next best solution would require a more detailed analysis of all the works submitted to Amazon, but that would definitely not be cost-effective for Amazon. And, of course, the worst solution for Amazon would involve dismantling their Kindle Unlimited service and refunding all the users who had subscribed.

What do you think Amazon could have done to handle this exploit more effectively? Post below in the Disqus thread.

And no, I haven’t submitted any books that exploit this pattern. I stumbled on it too late, and I will not jeopardize my relationship with my distributor…by getting caught

photo by: