New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

Cyber Security

Products You May Like

Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user’s device to access sensitive information and camera recordings.

The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018.

Application security firm Checkmarx explained it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app.

CyberSecurity

The app can then be used to get hold of the user’s Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device’s hardware ID, which is also encoded in the token, to the endpoint “ring[.]com/mobile/authorize.”

Armed with this cookie, the attacker can sign in to the victim’s account without having to know their password and access all personal data associated with the account, including full name, email address, phone number, and geolocation information as well as the device recordings.

This is achieved by querying the below two endpoints –

  • account.ring[.]com/account/control-center – Get the user’s personal information and Device ID
  • account.ring[.]com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – Access the Ring device data and recordings
CyberSecurity

Checkmarx said it reported the issue to Amazon on May 1, 2022, following which a fix was made available on May 27 in version 3.51.0. There is no evidence that the issue has been exploited in real-world attacks, with Amazon characterizing the exploit as “extremely difficult” and emphasizing that no customer information was exposed.

The development comes more than a month after the company moved to address a severe weakness affecting its Photos app for Android that could have been exploited to steal a user’s access tokens.

Products You May Like

Articles You May Like

YouTube Premium Price Hike in India Announced for Individual, Family Subscription Plans
Instagram Developing New Feature Which Enables Real-Time Sharing of Currently Playing Spotify Tracks
X Down? Several Users Report Outage Across the Globe, Including India
Human Settlement Evidence From 55,000 Years Ago Discovered Near West Papua, Claims Study
Xiaomi X Pro QLED Smart TV Series With Google TV, 4K Displays Launched in India in Three Sizes

Leave a Reply

Your email address will not be published. Required fields are marked *