Security News > 2022 > July > Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App
"The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino said.
"Others, like the Amazon Drive API, allow an attacker full access to the user's files."
The Israeli application security testing company reported the issue to Amazon on November 7, 2021, following which the tech giant rolled out a fix on December 18, 2021.
In a nutshell, it means that an external app could send an intent - a message to facilitate communication between apps - to launch the vulnerable activity in question and redirect the HTTP request to an attacker-controlled server and extract the access token.
This could vary from deleting files and folders in Amazon Drive to even exploiting the access to stage a ransomware attack by reading, encrypting, and re-writing a victim's files while erasing their history.
Checkmarx further noted that the vulnerability might have had a broader impact given that the APIs exploited as part of its proof-of-concept constitute only a small subset of the entire Amazon ecosystem.
News URL
https://thehackernews.com/2022/07/amazon-quietly-patches-high-severity.html
Related news
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)
- Amazon confirms employee data exposed in leak linked to MOVEit vulnerability (source)