Risk
7/15/2013
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Jay-Z App, Amazon Extension Slammed On Privacy

Android app offers free album for users' account, login info; meanwhile, Amazon 1Button extension for Chrome reports user activity to Amazon.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Surveillance warning: Jay-Z's new Android app, and a Chrome browser extension built by Amazon, have separately been accused of collecting extreme amounts of information on the people who install and use them.

On the Jay-Z front, the Electronic Privacy Information Center (EPIC), a privacy rights group, Friday demanded that the Federal Trade Commission (FTC) investigate Samsung, which published a mobile app prior to the release of Jay-Z's new album "Magna Carta ... Holy Grail."

"The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users' phones," read a statement released Sunday by EPIC. "The Magna Carta app also includes hidden spam techniques that force users to promote the album."

[ How proactive are you when it comes to protecting your personal information? Read Online Privacy: We Just Don't Care. ]

"It's an ugly piece of software," veteran New York Times music critic Jon Pareles wrote on July 4, when Samsung began using the app to distribute a million downloads of the album -- purchased by the handset maker for $5 each -- prior to the album's official release. Pareles said the app not only required account information -- including email addresses and social media usernames -- for the handset owner prior to running, but also demanded a working login to Facebook or Twitter, plus permission to post to those accounts, before it would unlock the new album. Likewise, unlocking the album lyrics required making further posts to promote the album.

That wasn't all. According to a screenshot posted by rapper Killer Mike, the app's list of requested permissions includes access to all storage, system tools, location, network communication and phone calls. "I read this and ... 'Naw I'm cool'" posted the rapper, detailing why he didn't install the app. "Umma just buy the CD," he tweeted.

According to EPIC's complaint to the FTC, the app also "interfered with the functionality of the users' smartphones in ways that users could not reasonably have expected," such as requiring that the device accept messages relayed by Samsung, which might incur data charges. The app could also control the device's vibration setting, preventing the device from going into sleep mode, according to the complaint. Call that a rock-star feature?

Accusations that the app violates people's privacy is ironic, given that earlier this year Jay-Z was among the celebrities -- including Michelle Obama -- whose personal details and in some cases credit reports were leaked by a site known as "The Secret Files."

What might be done to corral the app? EPIC said it requested that the FTC "require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights."

Samsung and Jay-Z, however, aren't the only ones being singled out for harvesting users' personal information. According to security researcher Krzysztof Kotowicz, the Amazon 1Button App for Chrome extension also collects much more data than might be considered reasonable. The shopping button, which about 1.8 million Chrome users have installed, promises "special offers and features right at your fingertips," including learning about Amazon's daily sales 10 minutes before other customers.

But Kotowicz said in a blog post that the extension also reports to Amazon every URL you visit, even HTTPS URLs, although it at least does so via secure HTTPS sessions so only Amazon is able to see that data. The browser extension also reports to commercial Web traffic data provider Alexa -- an Amazon subsidiary -- the content of some sites visited, including the first few results generated by Google searches, even when made using HTTPS. That data is routed via HTTP, meaning it's in plaintext and thus vulnerable to being sniffed by an attacker.

Beyond those privacy concerns, Kotowicz also accused Amazon of practicing poor browser plug-in hygiene. "Attackers can actively exploit described extension features to hijack your information," he said, thanks to Amazon having publicly posted two configuration files that detail how information gets retrieved from the shopping button, and making those files retrievable via HTTP.

"Exploiting this is very simple," said Kotowicz, who Thursday published an exploit script to Github "that converts Amazon 1Button Chrome extension to [a] poor man's transparent HTTPS [to] HTTP proxy." That would allow an attacker to retrieve many types of HTTPS URL information and the contents of pages, including the contents of emails and Google drive documents.

After publishing his research, however, Kotowicz said that Friday, Amazon had fixed the vulnerability, by now only providing the configuration links via HTTPS. "Once again, full disclosure helped the common folks' security," he said. But he warned that Amazon was still tracking 1Button users and harvesting their private information.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/16/2013 | 4:01:15 PM
re: Jay-Z App, Amazon Extension Slammed On Privacy
This is why I am very wary about the apps I install on my phone. If any of them asks for access to an unreasonable number of features on my phone, I would rather skip the headache.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.