Amazon has patched a security flaw in its popular Amazon Photos app for Android, reports BleepingComputer.
Malicious actors could exploit the vulnerability, which was identified by Checkmarx researchers, to facilitate the exfiltration of Amazon access tokens for API authentication. The vulnerable component "com.amazon.gallery.thor.app.activity.ThorViewActivity" could be deployed by an external app to trigger an HTTP request that would then enable token delivery to the attackers' server. Attackers could then use the token to compromise Amazon Drive cloud storage file, and erase data history, as well as compromise other Amazon API, including Alexa, Kindle, and Prime Video, according to researchers.
"With all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customers files while erasing their history," said Checkmarx.
Amazon said that it has not found any evidence indicating exposure of sensitive customer data as a result of the vulnerability.
Ahead of its imminent approval, the Biden administration's proposed executive order mandating U.S. cloud infrastructure-as-a-service providers to strengthen the verification of their users' identities has received industry opposition due to the increased financial and logistical burdens that would arise from such a rule, according to The Record, a news site by cybersecurity firm Recorded Future.
U.S. independent record label Empire Distribution, which has worked with Kendrick Lamar, Snoop Dogg, and 50 Cent, had its sensitive data exposed as a result of an environment file misconfiguration, Cybernews reports.