Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

2022-07-01 00:09

"The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino said.

"Others, like the Amazon Drive API, allow an attacker full access to the user's files."

The Israeli application security testing company reported the issue to Amazon on November 7, 2021, following which the tech giant rolled out a fix on December 18, 2021.

In a nutshell, it means that an external app could send an intent - a message to facilitate communication between apps - to launch the vulnerable activity in question and redirect the HTTP request to an attacker-controlled server and extract the access token.

This could vary from deleting files and folders in Amazon Drive to even exploiting the access to stage a ransomware attack by reading, encrypting, and re-writing a victim's files while erasing their history.

Checkmarx further noted that the vulnerability might have had a broader impact given that the APIs exploited as part of its proof-of-concept constitute only a small subset of the entire Amazon ecosystem.

News URL

https://thehackernews.com/2022/07/amazon-quietly-patches-high-severity.html

#amazon #android #vulnerability

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Amazon		64	9	60	39	13	121
Android		4	0	17	2	0	19