In December 2021, Amazon released a patch for a high-severity vulnerability that was present in its Photos app for Android. This vulnerability could have been exploited by a third party to steal access tokens from users.
According to researchers Joo Morais and Pedro Umbelino from Checkmarx, "The Amazon access token is used to authenticate the user across multiple Amazon APIs." Some of these APIs contain personal data such as the user's full name, email address, and address. "The Amazon access token is used to authenticate the user across multiple Amazon APIs." Others, such as the Amazon Drive API, grant an attacker unrestricted access to the user's files.
The Israeli application security testing company informed Amazon on November 7, 2021 about the problem, and the online retail giant subsequently fixed it on December 18, 2021 after receiving the report.
The leak is the result of a misconfiguration in one of the app's components called "com.amazon.gallery.thor.app.activity.ThorViewActivity," which is defined in the AndroidManifest.xml file and which, when launched, initiates an HTTP request with a header containing the access token. The misconfiguration causes the app to send an HTTP request with a header that contains the access token.
In a nutshell, it means that an external app could send an intent to launch the vulnerable activity in question, redirect the HTTP request to a server controlled by an attacker, and extract the access token. An intent is a message that facilitates communication between apps.
The cybersecurity company described the bug as a case of broken authentication and said the issue could have enabled malicious apps installed on the device to grab the access tokens. This would have given the attacker permission to make use of the APIs for subsequent activities.
This could range from deleting files and folders in Amazon Drive to even exploiting the access to stage a ransomware attack on the victim by reading, encrypting, and re-writing the victim's files while erasing the history of those files.
Checkmarx noted further that the vulnerability may have had a wider impact given that the APIs that were exploited as part of its proof-of-concept (POC) constitute only a small subset of the entire Amazon ecosystem. This was something that was mentioned in the company's previous statement.
Post a Comment
Your suggestions and comments are welcome