Amazon, in December 2021, fixed a high-severity vulnerability affecting its Photos app for Android that could have been exploited to steal a user’s access tokens.
“The Amazon access token is used to authenticate the user to multiple Amazon APIs, some of which contain personal data such as full name, email, and address,” said Checkmarx researchers João Morais. and Pedro Umbelino. “Others, like the Amazon Drive API, allow an attacker full access to user files.”
The Israeli app security testing company reported the issue to Amazon on November 7, 2021, after which the tech giant rolled out a fix on December 18, 2021.
The leak is the result of a misconfiguration in one of the application components named “com.amazon.gallery.thor.app.activity.ThorViewActivity” which is defined in the AndroidManifest.xml file and which, when it is launched, launches an HTTP request with a header containing the access token.
In a nutshell, this means that an external application could send an intent – a message to facilitate communication between applications – to initiate the vulnerable activity in question and redirect the HTTP request to a server controlled by the attacker and extract the access token.
Calling the bug a case of broken authentication, the cybersecurity firm said the issue could have allowed malicious apps installed on the device to grab access tokens, granting the attacker permissions to use APIs. for follow-up activities.
This can range from deleting files and folders in Amazon Drive to even exploiting access to stage a ransomware attack by reading, encrypting, and rewriting a victim’s files while erasing their history.
Checkmarx further noted that the vulnerability could have had a wider impact given that the APIs exploited as part of its proof of concept (PoC) are only a small subset of the entire Amazon ecosystem. .