12:06 PM

Jay-Z App, Amazon Extension Slammed On Privacy

Android app offers free album for users' account, login info; meanwhile, Amazon 1Button extension for Chrome reports user activity to Amazon.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Surveillance warning: Jay-Z's new Android app, and a Chrome browser extension built by Amazon, have separately been accused of collecting extreme amounts of information on the people who install and use them.

On the Jay-Z front, the Electronic Privacy Information Center (EPIC), a privacy rights group, Friday demanded that the Federal Trade Commission (FTC) investigate Samsung, which published a mobile app prior to the release of Jay-Z's new album "Magna Carta ... Holy Grail."

"The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users' phones," read a statement released Sunday by EPIC. "The Magna Carta app also includes hidden spam techniques that force users to promote the album."

[ How proactive are you when it comes to protecting your personal information? Read Online Privacy: We Just Don't Care. ]

"It's an ugly piece of software," veteran New York Times music critic Jon Pareles wrote on July 4, when Samsung began using the app to distribute a million downloads of the album -- purchased by the handset maker for $5 each -- prior to the album's official release. Pareles said the app not only required account information -- including email addresses and social media usernames -- for the handset owner prior to running, but also demanded a working login to Facebook or Twitter, plus permission to post to those accounts, before it would unlock the new album. Likewise, unlocking the album lyrics required making further posts to promote the album.

That wasn't all. According to a screenshot posted by rapper Killer Mike, the app's list of requested permissions includes access to all storage, system tools, location, network communication and phone calls. "I read this and ... 'Naw I'm cool'" posted the rapper, detailing why he didn't install the app. "Umma just buy the CD," he tweeted.

According to EPIC's complaint to the FTC, the app also "interfered with the functionality of the users' smartphones in ways that users could not reasonably have expected," such as requiring that the device accept messages relayed by Samsung, which might incur data charges. The app could also control the device's vibration setting, preventing the device from going into sleep mode, according to the complaint. Call that a rock-star feature?

Accusations that the app violates people's privacy is ironic, given that earlier this year Jay-Z was among the celebrities -- including Michelle Obama -- whose personal details and in some cases credit reports were leaked by a site known as "The Secret Files."

What might be done to corral the app? EPIC said it requested that the FTC "require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights."

Samsung and Jay-Z, however, aren't the only ones being singled out for harvesting users' personal information. According to security researcher Krzysztof Kotowicz, the Amazon 1Button App for Chrome extension also collects much more data than might be considered reasonable. The shopping button, which about 1.8 million Chrome users have installed, promises "special offers and features right at your fingertips," including learning about Amazon's daily sales 10 minutes before other customers.

But Kotowicz said in a blog post that the extension also reports to Amazon every URL you visit, even HTTPS URLs, although it at least does so via secure HTTPS sessions so only Amazon is able to see that data. The browser extension also reports to commercial Web traffic data provider Alexa -- an Amazon subsidiary -- the content of some sites visited, including the first few results generated by Google searches, even when made using HTTPS. That data is routed via HTTP, meaning it's in plaintext and thus vulnerable to being sniffed by an attacker.

Beyond those privacy concerns, Kotowicz also accused Amazon of practicing poor browser plug-in hygiene. "Attackers can actively exploit described extension features to hijack your information," he said, thanks to Amazon having publicly posted two configuration files that detail how information gets retrieved from the shopping button, and making those files retrievable via HTTP.

"Exploiting this is very simple," said Kotowicz, who Thursday published an exploit script to Github "that converts Amazon 1Button Chrome extension to [a] poor man's transparent HTTPS [to] HTTP proxy." That would allow an attacker to retrieve many types of HTTPS URL information and the contents of pages, including the contents of emails and Google drive documents.

After publishing his research, however, Kotowicz said that Friday, Amazon had fixed the vulnerability, by now only providing the configuration links via HTTPS. "Once again, full disclosure helped the common folks' security," he said. But he warned that Amazon was still tracking 1Button users and harvesting their private information.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cara Latham
Cara Latham,
User Rank: Apprentice
7/16/2013 | 4:01:15 PM
re: Jay-Z App, Amazon Extension Slammed On Privacy
This is why I am very wary about the apps I install on my phone. If any of them asks for access to an unreasonable number of features on my phone, I would rather skip the headache.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

Published: 2015-07-26
Honeywell Tuxedo Touch before relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!