shutterstock_1793080129 (1)

Amazon quietly patches ‘high severity’ Android photos app vulnerability

Amazon patched a high severity vulnerability affecting the Amazon Photos Android app in December after researchers notified them of the issue, the company disclosed Tuesday. 

Researchers at cybersecurity firm Checkmarx said they discovered a bug in the app that allowed attackers to steal a user’s Amazon access token, which is used to authenticate someone across multiple Amazon APIs. 

Many of these APIs have personal data like names, emails, addresses and more. Some, like Amazon Drive API, would give a hacker full access to a person’s files.

The Amazon Photos Android app had more than 50 million downloads before a patch for the vulnerability was released on December 18. 

An Amazon spokesperson told The Record that the company has “no evidence that sensitive customer information was exposed as a result of this issue.”

“We appreciate the work of independent security researchers who help bring potential issues to our attention,” the spokesperson said. “We released a fix for this issue soon after it was brought to our attention. We have no evidence that sensitive customer information was exposed as a result of this issue.”

Erez Yalon, VP of Security Research at Checkmarx, said their team found multiple issues with different components of the app and found that with the right malicious app installed, Android users’ Amazon access token “could have been stolen, making the user vulnerable to ransomware or worse.”

“This results from a misconfiguration of the com.amazon.gallery.thor.app.activity.ThorViewActivity component, which is implicitly exported in the app’s manifest file, thus allowing external applications to access it,” Yalon explained.

“Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer’s access token. Crucially, the researchers found that they could control the server receiving this request. The activity is declared with an intent-filter used by the application to decide the destination of the request containing the access token.” 

From there, a malicious application could “send an intent that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker.”

In a report released on Tuesday, the company’s researchers said anyone that obtained an access token had the ability to modify files while erasing a user’s history so that original content could not be recovered from file history.

The researchers found other ways attackers could delete files in someone’s Amazon Drive. The report says a theoretical ransomware actor would have a number of ways to take advantage of the flaw. 

“A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history. Additionally, the APIs highlighted in this article are only a small subset of the entire Amazon ecosystem, so it’s possible that other Amazon APIs would also be accessible to an attacker with that same token,” the researchers explained. 

Checkmarx said it reported the issues to the Amazon Vulnerability Research Program on November 7, 2021. The next day, Amazon confirmed the report and Checkmarx noted that the company considered it “a high severity issue.”

By December 18, Amazon declared the issues “resolved” and said a fix was “deployed into production.”

“We know there is nothing completely secure in the software world. But seeing that kind of vulnerability in the software of Amazon, one of the leading companies in the world when it comes to security practices, means that it can happen to every software company,” Yalon said. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.