Amazon addressed a high-severity flaw in its Ring app for Android that could have exposed sensitive information and camera recordings.
In May, Amazon fixed a high-severity vulnerability in its Ring app for Android that could have allowed a malicious app installed on a user’s device to access sensitive information and camera recordings.
The Ring app allows users to monitor video feeds from multiple devices, including security cameras, video doorbells, and alarm systems. The Android application has been downloaded over 10 million times.
Researchers from security firm Checkmarx discovered a vulnerability in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, for this reason, it was accessible to other applications on the same device.
“These other applications could be malicious applications that users could be convinced to install.” reads the post published by the researchers. “This activity would accept, load, and execute web content from any server, as long as the Intent’s destination URI contained the string “/better-neighborhoods/”.”
The experts also identified a Reflected Cross-Site Scripting (XSS) issue in cyberchef.schlarpc.people.a2z.com, which can be chained with the previous one to install a malicious application on the device.
An attacker can use a rogue app to obtain the user’s Authorization Token, then can use it to extract the session cookie by sending this information to the endpoint “ring[.]com/mobile/authorize” along with the device’s hardware ID.
Once obtained the cookie, the attacker can access to the victim’s account and personal data associated with the account (i.e. full name, email address, phone number, and geolocation information).
Below is a video PoC published by the experts and the timeline for this issue:
- 1-May-2022 Full findings reported to the Amazon Vulnerability Research Program
- 1-May-2022 Amazon confirmed receiving the report
- 27-May-2022 Amazon released a fix to customers in version .51 (3.51.0 Android , 5.51.0 iOS).
“We issued a fix for supported Android customers on May 27, 2022, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute.” Amazon told to the experts.
(SecurityAffairs – hacking, Amazon Ring)