Security News

Researchers Detail AppSync Cross-Tenant Vulnerability in Amazon Web Services
2022-11-28 11:56

Amazon Web Services has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources."This attack abuses the AppSync service to assume roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data
2022-11-16 13:04

Hundreds of databases on Amazon Relational Database Service are exposing personal identifiable information, new findings from Mitiga, a cloud incident response company, show. Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services cloud.

Week in review: Apple fixes exploited zero-days, 1,900 Signal users exposed, Amazon Ring app vuln
2022-08-21 08:00

Apple fixes exploited zero-days: Update your devices!Apple has released security updates for iOS, iPadOS, and macOS Monterey to fix CVE-2022-32894 and CVE-2022-32893, two code execution vulnerabilities exploited by attackers in the wild. 1,900 Signal users exposed following Twilio breachThe attacker behind the recent Twilio data breach may have accessed phone numbers and SMS registration codes for 1,900 users of the popular secure messaging app Signal.

New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings
2022-08-19 08:23

Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx explained it identified a cross-site scripting flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app.

How phishing attacks are exploiting Amazon Web Services
2022-08-18 17:18

How phishing attacks are exploiting Amazon Web Services. Cybercriminals prefer to use legitimate sites and services in their phishing scams, not just to trick unsuspecting victims but to sneak past security scanners that would otherwise block traffic from a suspicious site.

Vulnerability in Amazon Ring app allowed access to private camera recordings
2022-08-18 12:05

A vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor and indoor surveillance cameras, could have been exploited by attackers to extract users' personal data and device's data, including geolocation, address, and recordings. The vulnerability was discovered by Checkmarx researchers, who went one step further and demonstrated how an attacker could later analyze huge numbers of recordings with the help of computer vision technology, to extract additional sensitive information and material.

Amazon fixes Ring Android app flaw exposing camera recordings
2022-08-18 10:00

As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer's saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft. When analyzing the Ring Android app, Checkmarx found that the app was exposing an 'activity' that could be launched by any other app installed on the Android device.

Amazon sues 10,000 Facebook Group admins for offering fake reviews
2022-07-20 06:33

Amazon is suing over 10,000 administrators of Facebook groups that offer to post fake reviews on the online souk's website in exchange for products and money. Group admins charged $10 per fake review, according to CNBC. Reviewers were also lured with promises of free products in return for sham assessments of items such as car stereos or camera tripods.

Amazon gave Ring video to cops without consent or warrant 11 times so far in 2022
2022-07-14 13:45

Amazon-owned home security company Ring turned over footage to US law enforcement without permission from the devices' owners 11 times so far in 2022, according to details unveiled by Massachusetts senator Ed Markey. Despite Amazon policy that police cannot view recordings without owners' explicit permission, that policy does not apply to subpoenas and emergency requests - which is exactly what Amazon said happened in these 11 cases, although it seems the judge of what constitutes emergency request is left up to Ring itself.

Amazon squashes years-old authentication bugs in AWS Kubernetes service
2022-07-12 18:45

AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant's popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster. Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw.