Researchers discovered a severe security vulnerability in the Android Photos app that exposed Amazon access token. Amazon patched the bug following the report.
Amazon Photos App Vulnerability
According to a recent blog post from Checkmarx, they found how a vulnerability in the Amazon Android Photos app could allow stealing Amazon access tokens.
Android Photos is a dedicated photo-management app from Amazon for Android and iOS users. The official apps are available on the respective official Apple and Google app stores and have garnered many downloads. The vulnerability in question affected the Android version.
Specifically, the researchers noticed a misconfiguration in the com.amazon.gallery.thor.app.activity.ThorViewActivity component that permitted unauthenticated access. Thus, a malicious app could access and steal Amazon access tokens by abusing the vulnerability. As stated in the post,
This results from a misconfiguration of the com.amazon.gallery.thor.app.activity.ThorViewActivity component, which is implicitly exported in the app’s manifest file, thus allowing external applications to access it…
Knowing this, a malicious application installed on the victim’s phone could send an intent that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker.
The researchers have shared the following video as the PoC exploit.
Gaining this access token would also allow an adversary to modify stored files, erase history, or even delete the files in Amazon Drive. Such explicit access also triggered the threat of successful ransomware attacks.
Amazon Patched The Bug
Following this discovery, the researchers reported the bug via the Amazon Vulnerability Research Program on HackerOne.
Consequently, the eCommerce and tech giant started working on a fix, which they eventually released in December 2021.
Hence, all users should do is update their systems with the recent app versions to stay protected from potential exploitation. The Play Store listing shows the latest app update from March 2022. So, perhaps, this is what the users should download.