Amazon has patched a critical vulnerability in the Amazon Ring app for Android that could have enabled hackers to download saved camera recordings from customers. The flaw was discovered and disclosed to Amazon on May 1st, 2022 by security researchers at application security testing company Checkmarx, and it was fixed on May 27th.
Because the Ring Android app has over 10 million downloads and is used by people all over the world, access to a customer’s saved camera recordings could have enabled a wide range of malicious behaviour, from extortion to data theft.
Checkmarx discovered an ‘activity’ that could be launched by any other app installed on the Android device while analysing the Ring Android app. An ‘activity’ on Android is a programme 0component that displays a screen that users can interact with to perform a specific action. When developing an Android app, you can expose that activity to other installed apps by including it in the app’s manifest file.
Checkmarx discovered that the ‘com.ringapp/com.ring.nh.deeplink.DeepLinkActivity’ activity was exposed in the app’s manifest, enabling any other install app to launch it.
“This activity would accept, load, and execute web content from any server, as long as the Intent’s destination URI contained the string “/better-neighborhoods/”,” explained a report by Checkmarx shared wit
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: