Amazon has patched a flaw in the Amazon Photos app which could have allowed an attacker to steal and use a user’s unique access token that verifies their identity across multiple Amazon APIs.
That would give attackers access to a trove of information, since many of these APIs contain personal data, such as names, email addresses, and home addresses.
Amazon Photos, previously known as Prime Photos, is a service related to Amazon Drive, the company’s cloud storage application. To date, it has been downloaded more than 50 million times from the Play Store. The Photos app is geared towards the storing, organizing, and sharing photos and videos.
Due to a misconfiguration of a component in the app, rendering a client’s access token severely unprotected, a third-party malicious app could access and use this token. In a ransomware scenario, threat actors could steal, delete, and encrypt files and leave affected users with no means to restore them.
To put it plainly, it’s like sending a password over to another app in plain text, the researchers who found the bug explained.
The researchers from Checkmarx informed Amazon in November 2021. The following month, the company issued a patch for the vulnerability.
Because this flaw also affects Amazon Drive, threat actors could theoretically modify files while erasing a user’s history, effectively rendering original content irrecoverable.
Erez Yalon, Checkmarx’s vice president of security research, was quoted in an interview with The Record:
“We know there is nothing completely secure in the software world. But seeing that kind of vulnerability in the software of Amazon, one of the leading companies in the world when it comes to security practices, means that it can happen to every software company.”
An Amazon spokesperson also told The Record they found “no evidence that sensitive customer information was exposed as a result of this issue.”
“We appreciate the work of independent security researchers who help bring potential issues to our attention,” the spokesperson said.