Risk
7/15/2013
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Jay-Z App, Amazon Extension Slammed On Privacy

Android app offers free album for users' account, login info; meanwhile, Amazon 1Button extension for Chrome reports user activity to Amazon.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Surveillance warning: Jay-Z's new Android app, and a Chrome browser extension built by Amazon, have separately been accused of collecting extreme amounts of information on the people who install and use them.

On the Jay-Z front, the Electronic Privacy Information Center (EPIC), a privacy rights group, Friday demanded that the Federal Trade Commission (FTC) investigate Samsung, which published a mobile app prior to the release of Jay-Z's new album "Magna Carta ... Holy Grail."

"The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users' phones," read a statement released Sunday by EPIC. "The Magna Carta app also includes hidden spam techniques that force users to promote the album."

[ How proactive are you when it comes to protecting your personal information? Read Online Privacy: We Just Don't Care. ]

"It's an ugly piece of software," veteran New York Times music critic Jon Pareles wrote on July 4, when Samsung began using the app to distribute a million downloads of the album -- purchased by the handset maker for $5 each -- prior to the album's official release. Pareles said the app not only required account information -- including email addresses and social media usernames -- for the handset owner prior to running, but also demanded a working login to Facebook or Twitter, plus permission to post to those accounts, before it would unlock the new album. Likewise, unlocking the album lyrics required making further posts to promote the album.

That wasn't all. According to a screenshot posted by rapper Killer Mike, the app's list of requested permissions includes access to all storage, system tools, location, network communication and phone calls. "I read this and ... 'Naw I'm cool'" posted the rapper, detailing why he didn't install the app. "Umma just buy the CD," he tweeted.

According to EPIC's complaint to the FTC, the app also "interfered with the functionality of the users' smartphones in ways that users could not reasonably have expected," such as requiring that the device accept messages relayed by Samsung, which might incur data charges. The app could also control the device's vibration setting, preventing the device from going into sleep mode, according to the complaint. Call that a rock-star feature?

Accusations that the app violates people's privacy is ironic, given that earlier this year Jay-Z was among the celebrities -- including Michelle Obama -- whose personal details and in some cases credit reports were leaked by a site known as "The Secret Files."

What might be done to corral the app? EPIC said it requested that the FTC "require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights."

Samsung and Jay-Z, however, aren't the only ones being singled out for harvesting users' personal information. According to security researcher Krzysztof Kotowicz, the Amazon 1Button App for Chrome extension also collects much more data than might be considered reasonable. The shopping button, which about 1.8 million Chrome users have installed, promises "special offers and features right at your fingertips," including learning about Amazon's daily sales 10 minutes before other customers.

But Kotowicz said in a blog post that the extension also reports to Amazon every URL you visit, even HTTPS URLs, although it at least does so via secure HTTPS sessions so only Amazon is able to see that data. The browser extension also reports to commercial Web traffic data provider Alexa -- an Amazon subsidiary -- the content of some sites visited, including the first few results generated by Google searches, even when made using HTTPS. That data is routed via HTTP, meaning it's in plaintext and thus vulnerable to being sniffed by an attacker.

Beyond those privacy concerns, Kotowicz also accused Amazon of practicing poor browser plug-in hygiene. "Attackers can actively exploit described extension features to hijack your information," he said, thanks to Amazon having publicly posted two configuration files that detail how information gets retrieved from the shopping button, and making those files retrievable via HTTP.

"Exploiting this is very simple," said Kotowicz, who Thursday published an exploit script to Github "that converts Amazon 1Button Chrome extension to [a] poor man's transparent HTTPS [to] HTTP proxy." That would allow an attacker to retrieve many types of HTTPS URL information and the contents of pages, including the contents of emails and Google drive documents.

After publishing his research, however, Kotowicz said that Friday, Amazon had fixed the vulnerability, by now only providing the configuration links via HTTPS. "Once again, full disclosure helped the common folks' security," he said. But he warned that Amazon was still tracking 1Button users and harvesting their private information.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/16/2013 | 4:01:15 PM
re: Jay-Z App, Amazon Extension Slammed On Privacy
This is why I am very wary about the apps I install on my phone. If any of them asks for access to an unreasonable number of features on my phone, I would rather skip the headache.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web