Amazon have patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user’s device to access sensitive information and camera recordings.
The Ring app for Android has over 10 million downloads.
Application security firm Checkmarx explained that it identified a cross-site scripting (XSS) flaw that said it could be weaponised as part of an attack chain to trick victims into installing a malicious app.
The app could then be used to extract the user’s Authorisation Token, that can be leveraged to extract the session cookie by sending this information alongside the device’s hardware ID, which is also encoded in the token, to the endpoint “ring[.]com/mobile/authorize.”
With this cookie, an attacker could sign in to the victim’s account without having to know their password and access all personal data associated with the account.
This is achieved by querying the below endpoints:
- account.ring[.]com/account/control-center – Get the user’s personal information and Device ID
- account.ring[.]com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – Access the Ring device data and recordings
Checkmarx said that they reported the issue to Amazon on 1st May 2022 and a fix was available on 27th May 2022 in version 3.51.0. There is no evidence that the issue had been exploited.
