Amazon has patched a security flaw in its popular Amazon Photos app for Android, reports BleepingComputer.
Malicious actors could exploit the vulnerability, which was identified by Checkmarx researchers, to facilitate the exfiltration of Amazon access tokens for API authentication. The vulnerable component "com.amazon.gallery.thor.app.activity.ThorViewActivity" could be deployed by an external app to trigger an HTTP request that would then enable token delivery to the attackers' server. Attackers could then use the token to compromise Amazon Drive cloud storage file, and erase data history, as well as compromise other Amazon API, including Alexa, Kindle, and Prime Video, according to researchers.
"With all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customers files while erasing their history," said Checkmarx.
Amazon said that it has not found any evidence indicating exposure of sensitive customer data as a result of the vulnerability.