Security News

AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant's popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster. Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw.

Amazon Prime Day is one such seasonal event in which the retail giant kicks off a series of tempting sales for consumers looking to save money. In advance of this year's Amazon Prime Day set for July 12 and 13, Check Point said it has seen a 37% jump in Amazon-related phishing attacks at the start of July compared with the daily average for June.

"The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino said. "Others, like the Amazon Drive API, allow an attacker full access to the user's files."

Theoretically, with exposed tokens, an attacker could've accessed users' personal data from a number of different Amazon apps - not just Photos but also, for example, Amazon Drive. To authenticate users across various apps within their ecosystem, like other software suite vendors, Amazon uses access tokens.

Amazon Photos is an image and video storage application that enables users to seamlessly share their snaps with up to five family members, offering powerful management and organization features. Exploiting this bug could have enabled a malicious app installed on the same device to snatch Amazon access tokens used for Amazon APIs authentication.

A 36-year-old former Amazon employee was convicted of wire fraud and computer intrusions in the U.S. for her role in the theft of personal data of no fewer than 100 million people in the 2019 Capital One breach. Paige Thompson, who operated under the online alias "Erratic" and worked for the tech giant till 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer.

To understand how Amazon and Skills developers handle audio data, the boffins created an auditing framework to evaluate how voice data gets collected, used, and shared. Technically, the auditing framework involved setting up a custom Raspberry Pi router to record the network endpoints contacted by Amazon Echo and emulating an Amazon Echo by setting up Alexa Voice Service SDK, in order to capture unencrypted network traffic.

The "Hotpatch" released by Amazon Web Services in response to the Log4Shell vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host. The issues - CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 - affect the hotfix solutions shipped by AWS, and stem from the fact that they are designed to search for Java processes and patch them against the Log4j flaw on the fly but without ensuring that the new Java processes are run within the restrictions imposed on the container.

Amazon Web Services has fixed four security issues in its hot patch from December that addressed the critical Log4Shell vulnerability affecting cloud or on-premise environments running Java applications with a vulnerable version of the Log4j logging library or containers. The hot patch packages from Amazon are not exclusive to AWS resources and allowed escaping a container in the environment and taking control of the host.

Researchers from the University of London and the University of Catania have discovered how to weaponize Amazon Echo devices to hack themselves. Smart speakers lay dormant during the day, waiting for a user to vocalize a particular activation phrase: i.e., "Hey, Google," "Hey, Cortana" or, for the Amazon Echo, "Alexa," or simply, "Echo." Usually, of course, it's the device's owner who issues such commands.