A teenager in India has discovered a major loophole in Amazon-owned audio book retailer Audible that allows anyone to download an unlimited amount of audio books for free.
Security flaws in Audible mean the site doesn’t wait to authenticate credit card payments before allowing users to purchase books, meaning that anyone can provide the site with fake information and download an unlimited amount of audio books.
In a video provided to Business Insider, Alan Joseph, a 19-year-old computer science student from Bangalore, India, demonstrated the loophole. Business Insider was able to replicate the technique used by Joseph to download audio books for free.
Business Insider alerted Audible to the flaw but the company declined to comment immediately. We will update this story if the company has a statement in the future.
Using a fake name, fake email address and a fake credit card, users are able to create an account on Audible, and purchase any member program. Business Insider was able to purchase the most expensive membership program, a $US229 24-book “Platinum Annual Membership,” using fake credit card information.
After the membership is applied to an account, users are given a number of credits to purchase books as part of the membership. Despite using randomised fake card details, the credits are still applied to accounts.
Amazon only checks the credit card information after a user “buys” an audio book using a credit gained from a membership program purchased using a fake credit card.
But the warning that Amazon displays after attempting to verify the payment is easily avoided. All users need to do is renew their membership using the fake card information and they have more credits to buy audio books with.
Emails shown to Business Insider reveal that Amazon and Audible were first made aware of the exploit in March 2013, yet haven’t responded to repeated warnings about the loophole.
If Audible checked credit card information before providing accounts with book credits, then the loophole wouldn’t work. But the site has a relaxed approach to security, allowing users to sign up with fake email addresses and purchase items without so much as verifying the email address used.
Disclosure: Jeff Bezos is an investor in Business Insider through his personal investment company Bezos Expeditions.