Patched Amazon Ring app vulnerability could compromise data, recordings

Amazon has recently issued a patch to address a security flaw in its Ring Android app, which could be exploited to expose user video recordings and data, reports SecurityWeek. Threat actors could chain numerous issues within the app, which has more than 10 million downloads from the Google Play store, to facilitate the exfiltration of users' names, home and email addresses, phone numbers, geolocation details, and camera recordings, according to Checkmarx researchers, who discovered the vulnerability. After loading content from a laced web page, attackers exploiting the flaw would exfiltrate an authorization token to secure access to Ring APIs, which are then leveraged for user data and recording theft. The patch was released by Amazon on May 27 after the flaw was reported to its bug bounty program on May 1. "We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," said a Ring spokesperson.