Security News > 2022 > June > Leaky Access Tokens Exposed Amazon Photos of Users
Theoretically, with exposed tokens, an attacker could've accessed users' personal data from a number of different Amazon apps - not just Photos but also, for example, Amazon Drive.
To authenticate users across various apps within their ecosystem, like other software suite vendors, Amazon uses access tokens.
There are any number of ways in which an attacker could've leveraged unsecured access tokens.
With a malicious third-party app installed on the victim's phone, they could've redirected the token in a way "That effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker." From there, the attacker could have accessed all kinds of personal information a victim had stored in Amazon Photos.
Because the tokens also leaked to Amazon Drive, attackers could've found, read, or even unrecoverably deleted files and folders in a victim's Drive account.
It's unclear just how many apps could've been targeted with such loose access tokens, as only a small number of Amazon APIs were analyzed for the report.