Ring Android app flaw allowed access to camera recordings
In the Amazon Ring app for Android, Amazon has patched a high-severity vulnerability that may have let hackers download customers’ recorded camera footage.
The flaw was spotted and reported to Amazon on May 1st, 2022 by security researchers working for the application security testing company Checkmarx. The flaw was quickly repaired by Amazon after it was discovered.
The ability to view a customer’s recorded camera footage might have allowed a wide range of nefarious activity, from extortion to data theft, given that the Ring Android app has over 10 million downloads and is used by individuals all over the world.
Android app Ring exploitation
Checkmarx discovered after examining the Ring Android app that it exposed a ‘activity’ that could be started by any other app installed on the Android device.
An Android “activity” is a software element that runs a screen for users to interact with in order to carry out a certain action. By including that activity in the manifest file while developing an Android app, it is feasible to make it visible to other installed apps.
Checkmarx discovered that the ‘com.ringapp/com.ring.nh.deeplink.DeepLinkActivity’ activity was exposed in the manifest of the Ring Android app, making it possible for any other install app to launch it.
As long as the Intent’s destination URI had the string “/better-neighborhoods/,” this activity would accept, load, and execute web content from any server, according to a Checkmarx report that was provided with BleepingComputer before going public.
This implied that they may start the activity and direct it to a web server under the control of the attacker to engage in the activity. However, the activity could only be interacted with by websites on the ring.com or a2z.com domains.
By discovering an XSS vulnerability on the URL https://cyberchef.schlarpc.people.a2z.com, the Checkmarx researchers were able to engage with the exposed activity and get around the restriction.
The researchers could now access Ring APIs using this XSS vulnerability and steal a login cookie for the customer’s account using an authentication token and device ID.
Once a user had been duped into downloading the programme, it would carry out the attack and transmit the attackers the authentication cookies of Ring customers.
But as a threat actor, what could you do with the enormous quantity of movies that you would find yourself suddenly in possession of by taking advantage of this weakness?
Checkmarx discovered that they could sort through the films to find ones of interest using the Amazon Rekognition service, an image and video analysis tool.
The service may use machine learning to locate celebrity videos, documents with specific terms, or even a password hastily written on a post-it note glued to a computer screen.
The threat actor might then receive this information and utilise it for extortion, network infiltration, or just plain voyeurism.
The good news is that Amazon released a remedy right away after receiving Checkmarx’s issue report.
The Checkmarx report stated, “It was a delight to engage so efficiently with the Amazon team. They took ownership and were professional throughout the disclosure and remediation process.