Cybersecurity researchers from Checkmarx have spotted a critical vulnerability affecting the Amazon Photos app on Android.
If exploited, the flaw could allow a malicious application installed on the user’s phone to steal their Amazon access token.
From a technical standpoint, the Amazon access token is used to authenticate users across various Amazon application program interfaces (API), some of which contain personally identifiable information (PII) that could be exposed during attacks.
Other APIs, like the Amazon Drive API, could allow threat actors (TA) to gain full access to the user’s files.
According to Checkmarx, the vulnerability derived from a misconfiguration of one of the Photos app’s components, which would allow external applications to access it.
Whenever this activity was launched, it triggered an HTTP request that carried a header with the customer’s access token. The server receiving the request could then be controlled.
“Knowing this, a malicious application installed on the victim’s phone could send an intent that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker,” wrote the researchers.
“With all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history.”
Moreover, Checkmarx explained that it only analyzed a few APIs in its research, constituting a small subset of the entire Amazon ecosystem.
“It’s possible that other Amazon APIs would also be accessible to an attacker with that same token,” the security experts explained.
Upon discovering this set of vulnerabilities, Checkmarx said its first action was to contact the Amazon Photos development team.
“Due to the high potential impact of the vulnerability and the high likelihood of success in real attack scenarios, Amazon considered this a high severity issue and released a fix for it soon after it was reported.”
The news comes a month after a misconfigured database exposed a major coordinated scheme by Amazon vendors to obtain fake reviews for their products.