Amazon Photos for Android gets the green light as the company fixes a bug affecting the popular app / Digital Information World


Amazon Photos is still going strong after the company recently announced how it managed to patch a major vulnerability affecting the app.

Amazon Photos for Android is considered an extremely popular app on the Google Play Store with a record 50+ million downloads to date.

For those who may not know, the app is considered an image and video storage application that allows its users to freely share their images with an audience consisting of no more than 5 members. At the same time, it is also called for its incredible management and strong organization.

The latest bug really sent shock waves to users after it was first discovered by researchers at Checkmarx. The vulnerability was found to exist in a specific element of the app, which caused it to manifest itself and force the file to be available for external access without the need for authentication.

Therefore, exploiting this flaw would have resulted in various malicious apps being installed on a similar device to allow harvesting of access tokens used by Amazon APIs for authentication.

The worrying factor was related to the fact that some of these APIs contain a lot of sensitive details like their names, email addresses and also their address. Meanwhile, those present on Amazon Drive held user files.

The most vulnerable part was launched and triggered in the form of an HTTP request that contained a header containing a user’s token.

Researchers quickly noticed how any external program could trigger a vulnerability while also triggering requests and allowing tokens to be received on actor-run servers.

A number of different scenarios were examined using the respective token and how files on Amazon Drive could delete history in a way where deleted data could not be easily recovered.

It is therefore understandable why attacks were carried out so easily and how ransomware scenarios with the app became all the more common.

All that the threat actor now needed to accomplish its mission was the ability to wipe out the previous history while easily rewriting and understanding the user’s files.

Although the matter was first disclosed by Checkmarx on Amazon late last year, we’re glad to see that it didn’t take too long to fix the bug considering it was classified as a High Intensity vulnerability.

Read Next: New Phishing Attack Uses Facebook Messenger Chatbots and Impersonates the Platform’s Support Team


Comments are closed.