Amazon has patched a critical vulnerability in the Amazon Ring app for Android that could have enabled hackers to download saved camera recordings from customers.
The flaw was discovered and disclosed to Amazon on May 1st, 2022 by security researchers at application security testing company Checkmarx, and it was fixed on May 27th.
Because the Ring Android app has over 10 million downloads and is used by people all over the world, access to a customer's saved camera recordings could have enabled a wide range of malicious behaviour, from extortion to data theft.
Checkmarx discovered an 'activity' that could be launched by any other app installed on the Android device while analysing the Ring Android app. An 'activity' on Android is a programme 0component that displays a screen that users can interact with to perform a specific action. When developing an Android app, you can expose that activity to other installed apps by including it in the app's manifest file.
Checkmarx discovered that the 'com.ringapp/com.ring.nh.deeplink.DeepLinkActivity' activity was exposed in the app's manifest, enabling any other install app to launch it.
"This activity would accept, load, and execute web content from any server, as long as the Intent's destination URI contained the string “/better-neighborhoods/”," explained a report by Checkmarx shared with BleepingComputer before publishing.
This meant they could start the activity and send it to an attacker-controlled web server to interact with it. However, only pages hosted on the ring.com or a2z.com domains were able to interact with the activity.
The Checkmarx researchers got around this restriction by discovering an XSS vulnerability on the https://cyberchef.schlarpc.people.a2z.com/ URL, which allowed them to compromise the system.
"With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings." - Checkmarx.
With a working attack chain in place, the researchers could have exploited the vulnerability by developing and publishing a malicious app on Google Play or another site. Once a user was duped into installing the app, it would launch the attack and send the Ring customer's authentication cookies to the attackers.
Analyzing videos with machine learning
However, as a threat actor, what would you do with the massive amount of videos that you could gain access to by exploiting this vulnerability?
Checkmarx discovered that they could sift through the videos using the Amazon Rekognition service, an image and video analysis service. The service could use machine learning to find videos of celebrities, documents containing specific words, or even a password scribbled carelessly on a post-it note stuck to a monitor.
This information could then be relayed back to the threat actor, who could use it for extortion, network intrusion, or simply to be a voyeuristic observer. The good news is that Amazon quickly responded to Checkmarx's bug report and released a fix.
"It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process," concluded the Checkmarx report.
"We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," Ring told BleepingComputer.
