-1

I'm basically trying to run some javascript that will help me locate my lost/stolen Kindle Fire (html5 geolocation based on wifi access points, then an ajax request to a hosted PHP which sends me an email).

It all boils down to, if someone was to open a document that I send to it, which contains javascript – will the javascript execute, or will it just fail?

Amazon provides no way to locate a lost device via GPS or other means so I am trying this. Anyone have experience trying to do something like this? I wish I had another device to test on but I don't. The security implications of this exploit are kind of interesting — if it's even possible — although Kindle does expect any emailed documents to come from an email that is in a 'trusted' list managed through your amazon account.

Dairo
  • 822
  • 1
  • 9
  • 22
Jim Amos
  • 289
  • 1
  • 4
  • 2
    if you sent a link to a webpage it would run when visited. if you try to run it inside the email program or from a file on the device, it probably would be blocked from executing. i guess you can leave a link called "click here if you stole this device", but who would click it? maybe call the link "my saved bank info" instead... – dandavis Sep 06 '13 at 18:56
  • @dandavis yes I suppose that could be the case. The document might not immediately open in the web browser. – Jim Amos Sep 06 '13 at 19:53
  • @Tip_Top Yes, in this case the user is someone who has stolen the device or for some reason has not already responded to my first attempt at communication – which was just to send a document with my phone number for them to call me and arrange a pick up. Also, I'm aware of the browser function that must ask permission for a user to share his/her location, I was hoping a thief might be persuaded that it was ok to click 'allow'. I'm not looking for ways around this - although I wish Amazon had one and that they would just help me as part of customer service. – Jim Amos Sep 06 '13 at 19:56
  • @Tip_Top as I already mentioned, the only way to send documents to a Kindle is from a trusted email address registered with Amazon in 'Manage my devices'. I'm using my real name on stackoverflow, I'm a developer by profession so I'm naturally curious about trying to retrieve my own device, given that it has no app like 'Find my phone' which we are all used to having on ios/android devices. I don't stalk politicians, I thought they were the one's stalking us ;-) – Jim Amos Sep 06 '13 at 20:02

1 Answers1

0

If you mean a document like you'd send a word doc or book over to read, no, JS wouldn't run like that.

Collin Grady
  • 2,226
  • 1
  • 14
  • 14
  • If I send an html document, which is allowed - and a user was to click to open that document, would it not open in the Silk web browser and therefore run the javascript? – Jim Amos Sep 06 '13 at 19:07
  • @JimAmos: why don't you just try sending the document now, before it gets stolen, and you can see exactly what happens. – dandavis Sep 06 '13 at 20:04
  • @dandavis it already was stolen. Or so I am assuming since nobody has contacted me after I sent my phone number in a document to the device. – Jim Amos Sep 06 '13 at 20:36