Older versions of the built-in browser for all Amazon devices, called Silk, forced users to use an insecure version of Google for their Internet searches if users had Google set up as their browser’s search engine.
Silk is a Chromium-based Web browser that ships with Amazon Kindle and Fire devices. By default, the browser comes with Google as the main search provider, but users can also select from Bing and Yahoo if they wish to.
Silk used HTTP Google instead of HTTPS Google
In older versions prior to v51.2.1, the Silk browser sent user searches to Google via HTTP instead of HTTPS, and also prevent an automatic redirection to the HTTPS version of the site, when users accessed the HTTP version of Google.
While sending Google queries from the browser to the Google servers might seem like a developer’s oversight, the second bug was more troubling.
By default, Google automatically redirects all users to the HTTP version of their site to the HTTPS version. Google handles this redirection, and only a severe technical issue on the user’s part would have prevented this process.
Security researchers from, who discovered the issues, said that accessing localized versions of the search engine, like Google.es or Google.jp via HTTP would indeed redirect them to the HTTPS version.
This means that there was no technical difficulty when it came to working with SSL in the browser and that the HTTPS block for Google.com was not the result of a general error.
Users exposed to MitM snooping
The problem with this behavior is that it exposes a user’s Google searches to anyone listening in on the user’s Web traffic because all data would be sent in cleartext.
A user’s Google searches are often used to infer information about a person and are a treasure trove of information for advertisers. Google itself uses this data for advertising as well.
Researchers notified Amazon, who fixed the issue in the Silk browser v51.2.1. “Other than a generic response we received initially, there has been no further communication from the vendor,” the Nightwatch team noted in their blog, revealing that Amazon had not bothered to explain why this strange issue was happening.
Amazon is no stranger to controversy. The Silk browser itself had raised many privacy concerns when itbecause it used the concept of cloud-based Web browsing, where all the data was being sent to Amazon’s EC2 service for processing and then sent to the user’s device.