Retail big Amazon patched a high-severity safety concern in its Ring app for Android in Could that would have enabled a rogue software put in on a person’s machine to entry delicate info and digital camera recordings.
The Ring app for Android has over 10 million downloads and allows customers to watch video feeds from good dwelling gadgets equivalent to video doorbells, safety cameras, and alarm techniques. Amazon acquired the doorbell maker for about $1 billion in 2018.
Utility safety agency Checkmarx defined it recognized a cross-site scripting (XSS) flaw that it mentioned may very well be weaponized as a part of an assault chain to trick victims into putting in a malicious app.
The app can then be used to pay money for the person’s Authorization Token, that may be subsequently leveraged to extract the session cookie by sending this info alongside the machine’s {hardware} ID, which can also be encoded within the token, to the endpoint “ring[.]com/cell/authorize.”
Armed with this cookie, the attacker can sign up to the sufferer’s account with out having to know their password and entry all private information related to the account, together with full identify, e mail handle, telephone quantity, and geolocation info in addition to the machine recordings.
That is achieved by querying the under two endpoints –
- account.ring[.]com/account/control-center – Get the person’s private info and Gadget ID
- account.ring[.]com/api/cgw/evm/v2/historical past/gadgets/{{DEVICE_ID}} – Entry the Ring machine information and recordings
Checkmarx mentioned it reported the problem to Amazon on Could 1, 2022, following which a repair was made out there on Could 27 in model 3.51.0. There is no such thing as a proof that the problem has been exploited in real-world assaults, with Amazon characterizing the exploit as “extraordinarily troublesome” and emphasizing that no buyer info was uncovered.
The event comes greater than a month after the corporate moved to handle a extreme weak point affecting its Photographs app for Android that would have been exploited to steal a person’s entry tokens.
