Broken Authentication Vuln Threatens Amazon Photos Android App

The now-patched bug allows an attacker to gain full access to a user's Amazon files.

Dark Reading Staff, Dark Reading

June 29, 2022

1 Min Read
Wrench on a laptop keyboard to illustrate fixing a computer bug
Source: Alexander Yakimov via Alamy Stock Photos

A high-severity flaw in the Amazon Photos Android App — which has more than 50 million downloads — could allow attackers to steal a user's Amazon access token and use it to access multiple Amazon APIs.

The team at Checkmarx alerted Amazon to the broken authentication vulnerability in the Amazon Photo App for Android, which allows users to share, print, and store mobile photos.

The analysts said the bug is due to a component misconfiguration in the app's manifest file.

"Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer's access token," the team said. After receiving the request, the analysts found they could also gain control of the server.

The report added that, "with all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history."

To protect themselves, users should update to the latest version of the app. Checkmarx researchers said that downloads made before Dec. 18 are affected if users haven't updated the app since then.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights