Home Security New Amazon Ring Vulnerability May Have Uncovered All Your Digital camera Recordings

New Amazon Ring Vulnerability May Have Uncovered All Your Digital camera Recordings

by crpt os


Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user’s device to access sensitive information and camera recordings.

The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018.

Application security firm Checkmarx explained it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app.

CyberSecurity

The app can then be used to get hold of the user’s Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device’s hardware ID, which is also encoded in the token, to the endpoint “ring[.]com/mobile/authorize.”

Armed with this cookie, the attacker can sign in to the victim’s account without having to know their password and access all personal data associated with the account, including full name, email address, phone number, and geolocation information as well as the device recordings.

This is achieved by querying the below two endpoints –

  • account.ring[.]com/account/control-center – Get the user’s personal information and Device ID
  • account.ring[.]com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – Access the Ring device data and recordings
CyberSecurity

Checkmarx said it reported the issue to Amazon on May 1, 2022, following which a fix was made available on May 27 in version 3.51.0. There is no evidence that the issue has been exploited in real-world attacks, with Amazon characterizing the exploit as “extremely difficult” and emphasizing that no customer information was exposed.

The development comes more than a month after the company moved to address a severe weakness affecting its Photos app for Android that could have been exploited to steal a user’s access tokens.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex