Amazon fixes the Ring Android app bug that exposed camera recordings

Amazon silently solves the vulnerability in applications that have possibly led to data exposure

Android app potentially exposed camera recordings to attackers

The company resolved a security flaw back in May that exposed data and camera recordings on Ring app users. Android application bug was reported to the Amazon Vulnerability Research Program by researchers back in May.^[1] The cybersecurity research firm Checkmarx findings got addressed, and Amazon released a fix for the issues on May 27 when the .51 version of the Android update was released.

The Android Ring application was purchased by Amazon in 2018 and has been downloaded more than 10 million times.^[2] It supposedly gives users access to video streams from the cameras via the application. The spokesperson for Amazon stated that customer information was not exposed due to the flaw and confirmed that the fix was released back in May. They claim that the bug would be difficult to exploit for anyone because it requires an unlikely and complex set of circumstances to execute.

The flaw has been certified as a high-severity vulnerability, and according to various reports, the exploitation could have allowed the download of customers' saved camera recordings.^[3] It was discovered and reported right away, so at this time, the bug has been fixed by Amazon already.

Threat actors can do a lot of things with the massive amount of recordings obtained from victims. Using various technologies, attackers can find videos of celebrities, certain documents with particular words, and even passwords written on posted notes. This can have major consequences.^[4]

Silent fix for a high-severity bug

The Ring Android app has millions of downloads and is used by people worldwide due to the attractive ability to access customers' saved camera recordings. This access possibly allowed hackers to perform various malicious processes from extortion to direct data theft.

The application and the flaw were analyzed by the researchers, and they found that the app was exposing activity that could be launched by any other applications installed on the Android device. Researchers explained:

This activity would accept, load, and execute web content from any server, as long as the Intent's destination URI contained the string “/better-neighborhoods/”

It means that is possible to launch the activity and direct it to the attacker-controlled web server to interact with the device. But sites could be ring.com or a2z.com domains to have the possibility to interact with the activity. The vulnerability was found when the restrictions like this were bypassed.

Stealing login cookies to extract data

The in-depth research showed that XSS vulnerability allowed hackers to steal login cookies using the authentication tokens and hardware IDs for the account of the particular customer. That could be possible is the Ring APIs that become accessible. From there, researchers revealed that stealing any personal information from the customer's account could be possible. Data like emails, full names, phone numbers, and Ring device data, location, address, and recordings could have been extracted.^[5]

The research exposed the possible attack chain scenario and revealed that it is possible to exploit the flaw and create the malicious app on Google Play or another site to do so. Installing the application could be the only criteria, and once the person is tricked into downloading the application, the attack can be executed and send the attacker Ring account authentication cookies to further perform the exfiltration or other attack steps.