12:06 PM

Jay-Z App, Amazon Extension Slammed On Privacy

Android app offers free album for users' account, login info; meanwhile, Amazon 1Button extension for Chrome reports user activity to Amazon.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Surveillance warning: Jay-Z's new Android app, and a Chrome browser extension built by Amazon, have separately been accused of collecting extreme amounts of information on the people who install and use them.

On the Jay-Z front, the Electronic Privacy Information Center (EPIC), a privacy rights group, Friday demanded that the Federal Trade Commission (FTC) investigate Samsung, which published a mobile app prior to the release of Jay-Z's new album "Magna Carta ... Holy Grail."

"The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users' phones," read a statement released Sunday by EPIC. "The Magna Carta app also includes hidden spam techniques that force users to promote the album."

[ How proactive are you when it comes to protecting your personal information? Read Online Privacy: We Just Don't Care. ]

"It's an ugly piece of software," veteran New York Times music critic Jon Pareles wrote on July 4, when Samsung began using the app to distribute a million downloads of the album -- purchased by the handset maker for $5 each -- prior to the album's official release. Pareles said the app not only required account information -- including email addresses and social media usernames -- for the handset owner prior to running, but also demanded a working login to Facebook or Twitter, plus permission to post to those accounts, before it would unlock the new album. Likewise, unlocking the album lyrics required making further posts to promote the album.

That wasn't all. According to a screenshot posted by rapper Killer Mike, the app's list of requested permissions includes access to all storage, system tools, location, network communication and phone calls. "I read this and ... 'Naw I'm cool'" posted the rapper, detailing why he didn't install the app. "Umma just buy the CD," he tweeted.

According to EPIC's complaint to the FTC, the app also "interfered with the functionality of the users' smartphones in ways that users could not reasonably have expected," such as requiring that the device accept messages relayed by Samsung, which might incur data charges. The app could also control the device's vibration setting, preventing the device from going into sleep mode, according to the complaint. Call that a rock-star feature?

Accusations that the app violates people's privacy is ironic, given that earlier this year Jay-Z was among the celebrities -- including Michelle Obama -- whose personal details and in some cases credit reports were leaked by a site known as "The Secret Files."

What might be done to corral the app? EPIC said it requested that the FTC "require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights."

Samsung and Jay-Z, however, aren't the only ones being singled out for harvesting users' personal information. According to security researcher Krzysztof Kotowicz, the Amazon 1Button App for Chrome extension also collects much more data than might be considered reasonable. The shopping button, which about 1.8 million Chrome users have installed, promises "special offers and features right at your fingertips," including learning about Amazon's daily sales 10 minutes before other customers.

But Kotowicz said in a blog post that the extension also reports to Amazon every URL you visit, even HTTPS URLs, although it at least does so via secure HTTPS sessions so only Amazon is able to see that data. The browser extension also reports to commercial Web traffic data provider Alexa -- an Amazon subsidiary -- the content of some sites visited, including the first few results generated by Google searches, even when made using HTTPS. That data is routed via HTTP, meaning it's in plaintext and thus vulnerable to being sniffed by an attacker.

Beyond those privacy concerns, Kotowicz also accused Amazon of practicing poor browser plug-in hygiene. "Attackers can actively exploit described extension features to hijack your information," he said, thanks to Amazon having publicly posted two configuration files that detail how information gets retrieved from the shopping button, and making those files retrievable via HTTP.

"Exploiting this is very simple," said Kotowicz, who Thursday published an exploit script to Github "that converts Amazon 1Button Chrome extension to [a] poor man's transparent HTTPS [to] HTTP proxy." That would allow an attacker to retrieve many types of HTTPS URL information and the contents of pages, including the contents of emails and Google drive documents.

After publishing his research, however, Kotowicz said that Friday, Amazon had fixed the vulnerability, by now only providing the configuration links via HTTPS. "Once again, full disclosure helped the common folks' security," he said. But he warned that Amazon was still tracking 1Button users and harvesting their private information.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cara Latham
Cara Latham,
User Rank: Apprentice
7/16/2013 | 4:01:15 PM
re: Jay-Z App, Amazon Extension Slammed On Privacy
This is why I am very wary about the apps I install on my phone. If any of them asks for access to an unreasonable number of features on my phone, I would rather skip the headache.
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.