A high-severity flaw within the Amazon Images Android App — which has greater than 50 million downloads — may permit attackers to steal a person’s Amazon entry token and use it to entry a number of Amazon APIs.
The staff at Checkmarx alerted Amazon to the damaged authentication vulnerability within the Amazon Photograph App for Android, which permits customers to share, print, and retailer cellular pictures.
The analysts mentioned the bug is because of a element misconfiguration within the app’s manifest file.
“Every time this exercise is launched, it triggers an HTTP request that carries a header with the client’s entry token,” the staff mentioned. After receiving the request, the analysts discovered they may additionally achieve management of the server.
The report added that, “with all these choices obtainable for an attacker, a ransomware state of affairs was straightforward to provide you with as a probable assault vector. A malicious actor would merely must learn, encrypt, and re-write the client’s information whereas erasing their historical past.”
To guard themselves, customers ought to replace to the most recent model of the app. Checkmarx researchers mentioned that downloads made earlier than Dec. 18 are affected if customers have not up to date the app since then.
