Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.