Amazon, in December 2021, patched a excessive severity vulnerability affecting its Photographs app for Android that would have been exploited to steal a consumer’s entry tokens.
“The Amazon entry token is used to authenticate the consumer throughout a number of Amazon APIs, a few of which include private knowledge reminiscent of full identify, e-mail, and deal with,” Checkmarx researchers João Morais and Pedro Umbelino mentioned. “Others, just like the Amazon Drive API, permit an attacker full entry to the consumer’s information.”
The Israeli software safety testing firm reported the problem to Amazon on November 7, 2021, following which the tech big rolled out a repair on December 18, 2021.
The leak is the results of a misconfiguration in one of many app’s elements named “com.amazon.gallery.thor.app.exercise.ThorViewActivity” that is outlined within the AndroidManifest.xml file and which, when launched, initiates an HTTP request with a header containing the entry token.
In a nutshell, it implies that an exterior app might ship an intent — a message to facilitate communication between apps — to launch the weak exercise in query and redirect the HTTP request to an attacker-controlled server and extract the entry token.
Calling the bug a case of damaged authentication, the cybersecurity firm mentioned the problem might have enabled malicious apps put in on the gadget to seize the entry tokens, granting the attacker permissions to utilize the APIs for follow-on actions.
This might fluctuate from deleting information and folders in Amazon Drive to even exploiting the entry to stage a ransomware assault by studying, encrypting, and re-writing a sufferer’s information whereas erasing their historical past.
Checkmarx additional famous that the vulnerability might need had a broader affect on condition that the APIs exploited as a part of its proof-of-concept (PoC) represent solely a small subset of your complete Amazon ecosystem.