Amazon patched high-severity vulnerability in the Android Photos app

Android Photos App exploitable flaw silently fixed by Amazon

Amazon patches high-severity flawThe Amazon Photos App flaw could be exploited to stela personal data

Amazon confirmed that they patched the vulnerability in the Photos App for Android devices. The application has been downloaded more than 50 million times via the Google Play Store already.[1] The image and video storage application enables users to share their spans with family members and offers management and organization functions. Amazon patched the severe flaw in December 2021.[2]

It is possible that the vulnerability was already exploited by the malicious actors that wanted to steal users' access tokens.[3] These tokens are used to authenticate the user across multiple Amazon APIs. These often contain personal data like emails, addresses, and full names. If a token like Amazon Driver API gets, accessed, attackers can gain full access to all users' files.

The issue was reported to Amazon on November 7, 2021, and the tech giant issued a fix a month later, but the issue was not addressed publicly at the time. Checkmarx informed about the flaw that lies in the misconfiguration of an app component. The exploit can allow these files to be externally accessible without any authentication.[4]

Possible exploiting of the flaw

If the big gets exploited, malicious apps can get installed on the same device that has the Amazon Photos App. This way, threat actors snatch Amazon access tokens used for the Amazon APIs authentication. These APIs can contain personal or sensitive information and expose physical address details, names, and emails to malicious attackers for later use.

The vulnerable part is “com.amazon.gallery.thor.app.activity.ThorViewActivity”. Once it is launched the HTTP request gets triggered, and it contains a header with the particular user's token. Researchers revealed that the external application could launch the vulnerable activity and trigger the request also sending the token to the server that criminals control.

During the investigation and analysis of the possible scenarios of exploitation, attackers could perform file actions on the Amazon Drive could storage, erase history, delete data, and make the action irrecoverable. Checkmarx researchers also noted that criminals only need to read, encrypt and re-write files while erasing the history to exploit the flaw for the virus[5] deployment:

With all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector

Access token issue

There is a number of ways these leaky access tokens could have been leveraged by the attacker. Malicious third-party apps can get installed on the Android device and launch vulnerable activity, triggering data gathering.

Attackers are often attempting to steal valuable data, including photos that can be stolen from the Amazon Photos application directly. It is unclear how many applications have been targeted with these loose access tokens. The report lists a small number of Amazon APIs that got analyzed for it. The real number can be far bigger.

The issue was resolved with the security update deployed into the production, but users were never informed about the potential exposure and security risks. There were no reports about particular exploitation signs. This bug if the case of broken authentication and security reports, states that issue might have a broader impact given that the APIs exploited as part of the proof-of-concept constitute only a small subset of the entire Amazon ecosystem.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions

References
Files
Software
Compare