September 21, 2023

Researchers have spotted a critical vulnerability affecting the Amazon Photos app on Android.

When exploited this could allow a malicious application installed on the user’s phone to steal their Amazon access token.

Advertisements

The Amazon access token is used to authenticate users across various Amazon API that contain personally identifiable information that could be exposed during attacks. Other APIs, like the Amazon Drive API, could allow threat actors to gain full access to the user’s files.

The vulnerability derived from a misconfiguration of one of the Photos app’s components, which would allow external applications to access it.

When initiated HTTP request that carried a header with the customer’s access token. The server receiving the request could then be controlled. Ransomware possibility also not eliminated.

Upon discovering this set of vulnerabilities, first action by the researchers was to contact the Amazon Photos development team.

Advertisements

Due to high potential impact of the vulnerability and the high likelihood of success in real attack scenarios, Amazon considered this a high severity issue and released a fix for it soon after it was reported.

This research and documentation was done by Checkmarx.

Tags:

Leave a Reply

You may have missed

Snatch ransomware Dissection

September 21, 2023

Fortinet Fixes Vulnerabilities in FortiOS

September 20, 2023

Trend Micro Endpoint Vulnerability – CVE-2023-41179

September 20, 2023

GitLab Addresses Critical Vulnerability -CVE-2023-4998

September 20, 2023

Crowdstrike New Offerings and Bionic.ai Acquisition

September 20, 2023

Microsoft AI exposed terabytes of data accidentally

September 19, 2023
%d bloggers like this: