12:06 PM

Jay-Z App, Amazon Extension Slammed On Privacy

Android app offers free album for users' account, login info; meanwhile, Amazon 1Button extension for Chrome reports user activity to Amazon.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Surveillance warning: Jay-Z's new Android app, and a Chrome browser extension built by Amazon, have separately been accused of collecting extreme amounts of information on the people who install and use them.

On the Jay-Z front, the Electronic Privacy Information Center (EPIC), a privacy rights group, Friday demanded that the Federal Trade Commission (FTC) investigate Samsung, which published a mobile app prior to the release of Jay-Z's new album "Magna Carta ... Holy Grail."

"The Magna Carta App collects massive amounts of personal information from users, including location data and data pulled from other accounts and other apps on the users' phones," read a statement released Sunday by EPIC. "The Magna Carta app also includes hidden spam techniques that force users to promote the album."

[ How proactive are you when it comes to protecting your personal information? Read Online Privacy: We Just Don't Care. ]

"It's an ugly piece of software," veteran New York Times music critic Jon Pareles wrote on July 4, when Samsung began using the app to distribute a million downloads of the album -- purchased by the handset maker for $5 each -- prior to the album's official release. Pareles said the app not only required account information -- including email addresses and social media usernames -- for the handset owner prior to running, but also demanded a working login to Facebook or Twitter, plus permission to post to those accounts, before it would unlock the new album. Likewise, unlocking the album lyrics required making further posts to promote the album.

That wasn't all. According to a screenshot posted by rapper Killer Mike, the app's list of requested permissions includes access to all storage, system tools, location, network communication and phone calls. "I read this and ... 'Naw I'm cool'" posted the rapper, detailing why he didn't install the app. "Umma just buy the CD," he tweeted.

According to EPIC's complaint to the FTC, the app also "interfered with the functionality of the users' smartphones in ways that users could not reasonably have expected," such as requiring that the device accept messages relayed by Samsung, which might incur data charges. The app could also control the device's vibration setting, preventing the device from going into sleep mode, according to the complaint. Call that a rock-star feature?

Accusations that the app violates people's privacy is ironic, given that earlier this year Jay-Z was among the celebrities -- including Michelle Obama -- whose personal details and in some cases credit reports were leaked by a site known as "The Secret Files."

What might be done to corral the app? EPIC said it requested that the FTC "require Samsung to suspend the distribution of the app until the privacy problems are fixed and to implement the privacy protections contained in the Consumer Privacy Bill of Rights."

Samsung and Jay-Z, however, aren't the only ones being singled out for harvesting users' personal information. According to security researcher Krzysztof Kotowicz, the Amazon 1Button App for Chrome extension also collects much more data than might be considered reasonable. The shopping button, which about 1.8 million Chrome users have installed, promises "special offers and features right at your fingertips," including learning about Amazon's daily sales 10 minutes before other customers.

But Kotowicz said in a blog post that the extension also reports to Amazon every URL you visit, even HTTPS URLs, although it at least does so via secure HTTPS sessions so only Amazon is able to see that data. The browser extension also reports to commercial Web traffic data provider Alexa -- an Amazon subsidiary -- the content of some sites visited, including the first few results generated by Google searches, even when made using HTTPS. That data is routed via HTTP, meaning it's in plaintext and thus vulnerable to being sniffed by an attacker.

Beyond those privacy concerns, Kotowicz also accused Amazon of practicing poor browser plug-in hygiene. "Attackers can actively exploit described extension features to hijack your information," he said, thanks to Amazon having publicly posted two configuration files that detail how information gets retrieved from the shopping button, and making those files retrievable via HTTP.

"Exploiting this is very simple," said Kotowicz, who Thursday published an exploit script to Github "that converts Amazon 1Button Chrome extension to [a] poor man's transparent HTTPS [to] HTTP proxy." That would allow an attacker to retrieve many types of HTTPS URL information and the contents of pages, including the contents of emails and Google drive documents.

After publishing his research, however, Kotowicz said that Friday, Amazon had fixed the vulnerability, by now only providing the configuration links via HTTPS. "Once again, full disclosure helped the common folks' security," he said. But he warned that Amazon was still tracking 1Button users and harvesting their private information.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Cara Latham
Cara Latham,
User Rank: Apprentice
7/16/2013 | 4:01:15 PM
re: Jay-Z App, Amazon Extension Slammed On Privacy
This is why I am very wary about the apps I install on my phone. If any of them asks for access to an unreasonable number of features on my phone, I would rather skip the headache.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.