The now-patched bug allows an attacker to gain full access to a user's Amazon files.
A high-severity flaw in the Amazon Photos Android App — which has more than 50 million downloads — could allow attackers to steal a user's Amazon access token and use it to access multiple Amazon APIs.
The team at Checkmarx alerted Amazon to the broken authentication vulnerability in the Amazon Photo App for Android, which allows users to share, print, and store mobile photos.
The analysts said the bug is due to a component misconfiguration in the app's manifest file.
"Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer's access token," the team said. After receiving the request, the analysts found they could also gain control of the server.
The report added that, "with all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history."
To protect themselves, users should update to the latest version of the app. Checkmarx researchers said that downloads made before Dec. 18 are affected if users haven't updated the app since then.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024