Critical Amazon Ring Flaw Could Allow Attackers to Access Camera Recordings

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing
Checkmarx, a global software security company based in Atlanta observed a vulnerability in the Ring Android app that could allow a malicious application installed on the user’s phone to expose their personal data, geolocation, and camera recordings.

The Ring App by Amazon has over 100 million downloads and it operates in the home security space and manufactures products that include outdoor and indoor surveillance cameras.

Vulnerability in Ring Android App

The vulnerability was discovered while assessing the Ring doorbell app for Android. Checkmarx researchers found the vulnerability in the com[.]ringapp/com.ring.nh[.]deeplink.DeepLinkActivity activity was implicitly exported in the Android Manifest and, as such, was accessible to malicious applications that users could be convinced to install.

Particularly, researchers found Reflected Cross-Site Scripting (XSS) vulnerability could be weaponized as part of an attack chain to trap victims into installing a malicious app. This app could give away the Authorization Token of the device and extract the session cookie by sending the information with the device’s hardware ID to this endpoint– “ringcom/mobile/authorize.”

In this case, the victim is tricked into installing the malicious app, which allows the attacker to collect authentication cookies. These cookies would allow the attacker to access a user’s account without entering the password.

The Following APIs Were Used

  • https://acount[.]ring.com/account/control-center – used to obtain the victim’s personal data and device ID
  • https://account[.]ring.com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – used to obtain the device data and recordings

“It was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings”, Checkmarx

Reports say it is also possible that the malicious actor could track the homeowners’ activities inside the rooms or the building they reside.

Checkmarx reported this issue on 1 May 2022, Amazon considered this a high-severity issue and released a fix for it soon after it was reported.“We issued a fix for supported Android customers on May 27, 2022, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit because it requires an unlikely and complex set of circumstances to execute.”