Researchers found a extreme safety vulnerability within the Android Pictures app that uncovered Amazon entry token. Amazon patched the bug following the report.
Amazon Pictures App Vulnerability
In line with a current blog post from Checkmarx, they discovered how a vulnerability within the Amazon Android Pictures app may enable stealing Amazon entry tokens.
Android Pictures is a devoted photo-management app from Amazon for Android and iOS customers. The official apps can be found on the respective official Apple and Google app shops and have garnered many downloads. The vulnerability in query affected the Android model.
Particularly, the researchers seen a misconfiguration within the com.amazon.gallery.thor.app.exercise.ThorViewActivity part that permitted unauthenticated entry. Thus, a malicious app may entry and steal Amazon entry tokens by abusing the vulnerability. As acknowledged within the put up,
This outcomes from a misconfiguration of the com.amazon.gallery.thor.app.exercise.ThorViewActivity part, which is implicitly exported within the app’s manifest file, thus permitting exterior functions to entry it…
Figuring out this, a malicious software put in on the sufferer’s cellphone may ship an intent that successfully launches the susceptible exercise and triggers the request to be despatched to a server managed by the attacker.
The researchers have shared the next video because the PoC exploit.
Gaining this entry token would additionally enable an adversary to change saved information, erase historical past, and even delete the information in Amazon Drive. Such specific entry additionally triggered the specter of profitable ransomware assaults.
Amazon Patched The Bug
Following this discovery, the researchers reported the bug by way of the Amazon Vulnerability Analysis Program on HackerOne.
Consequently, the eCommerce and tech big began engaged on a repair, which they ultimately launched in December 2021.
Therefore, all customers ought to do is replace their methods with the current app variations to remain shielded from potential exploitation. The Play Store listing exhibits the most recent app replace from March 2022. So, maybe, that is what the customers ought to obtain.