Security News

A vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor and indoor surveillance cameras, could have been exploited by attackers to extract users' personal data and device's data, including geolocation, address, and recordings. The vulnerability was discovered by Checkmarx researchers, who went one step further and demonstrated how an attacker could later analyze huge numbers of recordings with the help of computer vision technology, to extract additional sensitive information and material.

As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer's saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft. When analyzing the Ring Android app, Checkmarx found that the app was exposing an 'activity' that could be launched by any other app installed on the Android device.

Amazon is suing over 10,000 administrators of Facebook groups that offer to post fake reviews on the online souk's website in exchange for products and money. Group admins charged $10 per fake review, according to CNBC. Reviewers were also lured with promises of free products in return for sham assessments of items such as car stereos or camera tripods.

Amazon-owned home security company Ring turned over footage to US law enforcement without permission from the devices' owners 11 times so far in 2022, according to details unveiled by Massachusetts senator Ed Markey. Despite Amazon policy that police cannot view recordings without owners' explicit permission, that policy does not apply to subpoenas and emergency requests - which is exactly what Amazon said happened in these 11 cases, although it seems the judge of what constitutes emergency request is left up to Ring itself.

AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant's popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster. Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw.

Amazon Prime Day is one such seasonal event in which the retail giant kicks off a series of tempting sales for consumers looking to save money. In advance of this year's Amazon Prime Day set for July 12 and 13, Check Point said it has seen a 37% jump in Amazon-related phishing attacks at the start of July compared with the daily average for June.

"The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino said. "Others, like the Amazon Drive API, allow an attacker full access to the user's files."

Theoretically, with exposed tokens, an attacker could've accessed users' personal data from a number of different Amazon apps - not just Photos but also, for example, Amazon Drive. To authenticate users across various apps within their ecosystem, like other software suite vendors, Amazon uses access tokens.

Amazon Photos is an image and video storage application that enables users to seamlessly share their snaps with up to five family members, offering powerful management and organization features. Exploiting this bug could have enabled a malicious app installed on the same device to snatch Amazon access tokens used for Amazon APIs authentication.

A 36-year-old former Amazon employee was convicted of wire fraud and computer intrusions in the U.S. for her role in the theft of personal data of no fewer than 100 million people in the 2019 Capital One breach. Paige Thompson, who operated under the online alias "Erratic" and worked for the tech giant till 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer.