Amazon has confirmed and fixed a vulnerability in Amazon Photos for Android, an image and video storage application that has been downloaded over 50 million times on the Google Play Store. Checkmarx researchers discovered that the flaw lies in a misconfiguration of an app component, which results in its manifest file being externally accessible without authentication. These Amazon APIs, which could contain personal information, were at risk of being snatched by malicious apps installed on the same device. To exploit this vulnerability, a malicious app would need to launch the “com.amazon.gallery.thor.app.activity.ThorViewActivity” component, which triggers an HTTP request that contains a header with the user’s token. Researchers found that an external app could easily launch the vulnerable activity and trigger the request at will, sending the token to an active-controlled server.
Analysts explored various exploitation scenarios with the acquired token, such as performing file actions on the victim’s Amazon Drive cloud storage, erasing history so that deleted data is irrecoverable, and more. Checkmarx concluded that with multiple options available for an attacker, a ransomware scenario was extremely probable. The same token could be used by other Amazon APIs, like Prime Video, Alexa, and Kindle, so the exploitation potential could have been far reaching. The issue was reported to Amazon on November 7, 2021 and resolved on December 18, 2021. Amazon was asked if they noticed any signs of exploitation of the vulnerability and whether there had been reports of unauthorized Amazon API access during that period in which they replied with, “We have no evidence that sensitive customer information was exposed as a result of this issue.”