Amazon has fixed a high-severity vulnerability in the Amazon Ring app for Android that could have allowed hackers to download customers’ saved camera recordings.
The vulnerability was discovered by security researchers at application security testing company Checkmarx, who found and disclosed the vulnerability to Amazon on May 1st, 2022. Amazon fixed the bug shortly after it was disclosed.
As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer’s saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft.
Exploiting the Ring Android app
When analyzing the Ring Android app, Checkmarx found that the app was exposing an ‘activity’ that could be launched by any other app installed on the Android device.
An Android’ activity’ is a program component that displays a screen that users can interact with to perform a particular action. When creating an Android app, it is possible to expose that activity to other installed apps by adding it to the app’s manifest file.
When examining the Ring Android app, Checkmarx found that the ‘com.ringapp/com.ring.nh.deeplink.DeepLinkActivity‘ activity was exposed in the app’s manifest, allowing any other install app to launch it.
“This activity would accept, load, and execute web content from any server, as long as the Intent’s destination URI contained the string “/better-neighborhoods/”,” explained a report by Checkmarx shared with BleepingComputer before publishing.
This meant that they could launch the activity and direct it to an attacker-controlled web server to interact with the activity. However, only webpages on the ring.com or a2z.com domains could interact with the activity.
The Checkmarx researchers bypassed this restriction by finding an XSS vulnerability on the https://cyberchef.schlarpc.people.a2z.com/ URL, which allowed them to interact with the exposed activity.
Using this XSS vulnerability, the researchers could now steal a login cookie using an authentication token and hardware ID for the customer’s account through Ring APIs that are now accessible.
Source: Checkmarx
Armed with the now stolen cookie, the researchers could steal personal information from the customer’s account.
“With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings.” – Checkmarx.
Now that the researchers had created a working attack chain, the researchers could have exploited the vulnerability by creating and publishing a malicious app on Google Play or another site.
Once a user was tricked into installing the app, it would execute the attack and send the attackers the Ring customer’s authentication cookies.
Analyzing videos with machine learning
However, as a threat actor, what could you do with the massive number of videos that could suddenly be in your possession by exploiting this vulnerability?
Checkmarx found that they could use the Amazon Rekognition service, an image and video analysis service, to sift through the videos to find ones of interest.
Using machine learning, the service could find videos of celebrities, documents containing certain words, or even a password carelessly scribbled on a post-it note stuck to a monitor.
This data could then be relayed back to the threat actor, who could use it for extortion, network intrusion, or simply to be a voyeur.
The good news is that Amazon responded quickly to Checkmarx’s bug report and deployed a fix.
“It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process,” concluded the Checkmarx report.
To demonstrate the vulnerability in the Ring Android app and how threat actors could use it to find sensitive videos, Checkmarx shared the following video with BleepingComputer.
[embedded content]
