Amazon has recently issued a patch to address a security flaw in its Ring Android app, which could be exploited to expose user video recordings and data, reports SecurityWeek.
Threat actors could chain numerous issues within the app, which has more than 10 million downloads from the Google Play store, to facilitate the exfiltration of users' names, home and email addresses, phone numbers, geolocation details, and camera recordings, according to Checkmarx researchers, who discovered the vulnerability. After loading content from a laced web page, attackers exploiting the flaw would exfiltrate an authorization token to secure access to Ring APIs, which are then leveraged for user data and recording theft.
The patch was released by Amazon on May 27 after the flaw was reported to its bug bounty program on May 1.
"We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," said a Ring spokesperson.
Patched Amazon Ring app vulnerability could compromise data, recordings
Amazon has recently issued a patch to address a security flaw in its Ring Android app, which could be exploited to expose user video recordings and data, reports SecurityWeek.
Threat actors leveraged social engineering techniques to lure targets into executing a malicious MSI installer-spoofing LNK file that would run an obfuscated script, which ensures persistence and downloads the VSCode command-line interface in the absence of VSCode to enable file access and additional compromise.
Such an issue, which was identified and reported by Databricks security team member Kostya Kortchinsky, affects all Apache Avro instances up to version 1.11.3, according to Qualys Manager of Threat Research Mayuresh Dani, who also noted potential abuse of the bug through Kafka.