Amazon, in December 2021, patched a excessive severity vulnerability affecting its Images app for Android that might have been exploited to steal a person’s entry tokens.
“The Amazon entry token is used to authenticate the person throughout a number of Amazon APIs, a few of which comprise private knowledge comparable to full title, e-mail, and tackle,” Checkmarx researchers João Morais and Pedro Umbelino stated. “Others, just like the Amazon Drive API, enable an attacker full entry to the person’s recordsdata.”
The Israeli software safety testing firm reported the difficulty to Amazon on November 7, 2021, following which the tech large rolled out a repair on December 18, 2021.
The leak is the results of a misconfiguration in one of many app’s parts named “com.amazon.gallery.thor.app.exercise.ThorViewActivity” that is outlined within the AndroidManifest.xml file and which, when launched, initiates an HTTP request with a header containing the entry token.
In a nutshell, it implies that an exterior app may ship an intent — a message to facilitate communication between apps — to launch the weak exercise in query and redirect the HTTP request to an attacker-controlled server and extract the entry token.
Calling the bug a case of damaged authentication, the cybersecurity firm stated the difficulty may have enabled malicious apps put in on the gadget to seize the entry tokens, granting the attacker permissions to utilize the APIs for follow-on actions.
This might fluctuate from deleting recordsdata and folders in Amazon Drive to even exploiting the entry to stage a ransomware assault by studying, encrypting, and re-writing a sufferer’s recordsdata whereas erasing their historical past.
Checkmarx additional famous that the vulnerability might need had a broader influence provided that the APIs exploited as a part of its proof-of-concept (PoC) represent solely a small subset of the complete Amazon ecosystem.