A security researcher was able to find a flaw in the Amazon ring app that could lead to hackers spying on people. Hackers could use this exploit to be able to watch saved recordings.
Amazon Ring App Vulnerability was Categorized as 'High-Severity'
According to the story by Tom's Guide, an Amazon Ring app vulnerability that was categorized as high-severity could have given hackers access to critical data. The hackers could have used the vulnerability to spy on the saved camera recordings.
Although the vulnerability has already been fixed, a report by Bleeping Computer notes that the vulnerability was first found by Checkmarx's security researcher. The company was then quick to share what they found with Amazon.
Ring App Got Ten Million Downloads Worldwide Meaning Stretch of Vulnerability Could be Extremely Wide
The Ring app has already been downloaded over ten million times and has been used worldwide. Due to its popularity, the vulnerability is quite concerning since there was no report regarding how far hackers were able to access it.
As per Tom's Guide, users that have not yet updated their Android Ring app recently, should go ahead and install the latest version in order to be able to prevent hackers from being able to access the users' security cameras' saved recordings.
Ring App Vulnerability Could be Exposed by Other Apps on the Owner's Device
Checkmarx released a blog post that detailed their findings. The researchers explained that what they found inside the Ring app for Android was that it could expose activity that could be launched by any other app that is installed on owner's device.
The activity in question was specifically the com.ringapp/com.ringnh.deeplink.DeppLinkActivity and was exposed inside the manifest of the app which allowed other apps that were installed to easily launch it.
Researchers were Able to Bypass the Restrictions by Finding an XSS Vulnerability
Through launching the activity, researchers from Checkmarx were able to find out that they would be able to set up a web server in order to interact with it. Only webpages on the ring.com or a2z.com domains, however, were able to interact with it.
Researchers then bypassed the restrictions by finding a vulnerability called cross-site scripting XSS. The researchers then exploited the vulnerability in order to get the Ring login cookie.
Malicious Apps Could Use the Exploit to Provide Access to Users' Amazon Ring App Data
When researchers had access to a Ring login cookie, they were then able to use the Ring's APIs in order to gain access to personal data coming from customers. The data included emails, phone numbers, full names, and device data coming from their Ring products.
The data that they were able to get from the Ring products included the address, geolocation, and saved recordings of the owner. As per Tom's Guide, attackers could have created a malicious app and uploaded it to Play Store in order to send the Ring customer authentication cookies back to them.
Related Article: Android Users Must Delete These Popular Apps Now As They Face Risks of Malware - Cybersecurity Firm Says
This article is owned by Tech Times
Written by Urian B.