Amazon Quickly Fixed a Vulnerability in Ring Android App That Could Expose Users’ Camera Recordings
Researchers at Checkmarx found that the Ring Android app could have allowed a malicious application installed on the user’s phone to steal their personal data, geolocation, and camera recordings.
Ring by Amazon operates in the home security space and manufactures products that include outdoor and indoor surveillance cameras. Their Android application has been downloaded over 10 million times.
Technical Details
The vulnerability was found in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, as such, was accessible to other applications on the same device.
This activity would accept, load, and execute web content from any server, as long as the Intent’s
destination URI contained the string “/better-neighborhoods/”.
We could use adb to replicate a valid Intent:
The attacker-controlled web page could then interact with the WebView’s JavaScript interfaces, as long as it was served from a “ring.com” or “a2z.com” subdomain.
The team at Checkmarx was able to find a Reflected Cross-Site Scripting (XSS) vulnerability in cyberchef.schlarpc.people.a2z.com, which allowed them to complete this attack chain.
Knowing of this vulnerability, an attacker could trick victims into installing a malicious application
that triggered the following Intent to complete the attack:
This payload redirects the WebView to the malicious web page, which can access the
NATIVE BRIDGE .getToken() JavaScript Interface that grants access to an Authorization
Token, which can then be exfiltrated to an attacker-controlled server.
This token is a Java Web Token (JWT), which is insufficient to authorize calls to Ring’s multiple APIs. Authorization is enforced using an rs_session cookie.
However, this cookie can be obtained by calling the https://ring.com/mobile/authorize endpoint with both a valid Authorization Token plus the corresponding device’s Hardware ID.
Luckily for our researchers, this Hardware ID was encoded into the token.
With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings.
More specifically, the following APIs were used:
• https://acount.ring.com/account/control-center – used to obtain the victim’s personal data and device ID
• https://account.ring.com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – used to obtain the device data and recordings
Let’s Scale the Attack
Looking at a vulnerability, with the potential of getting an attacker more videos than they can investigate, the researchers decided to take it one step further by using the excellent Amazon Rekognition service. Rekognition can be used to automate the analysis of these recordings and extract information that could be useful for malicious actors.
Rekognition can scan an unlimited number of videos and detect objects, text, faces, and public
figures, among other things.
To further demonstrate the impact of this vulnerability, the researchers showed how this service could be used to read sensitive information from computer screens and documents visible to the Ring cameras and to track people’s movements in and out of a room.
Due to the high potential impact of the vulnerability and the high likelihood of success in real attack scenarios, Amazon considered this a high-severity issue and released a fix for it soon after it was reported.
Timeline
1-May-2022 Full findings reported to the Amazon Vulnerability Research Program
1-May-2022 Amazon confirmed receiving the report
[CONFIRMING DATE WITH AMAZON] Amazon declared issues are resolved and fix deployed into production
Epilogue
It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process. For this reason, and for great collaboration, we’re granting Amazon’s Security Team the Checkmarx Seal of Approval.
And, as always, our security research team will continue to focus on ways to improve application security practices everywhere.
Save/Share this story with QR CODE
Disclaimer
This article is for informational purposes only and does not constitute endorsement of any specific technologies or methodologies and financial advice or endorsement of any specific products or services.
📩 Need to get in touch?
📩 Feel free to Contact NextGenDay.com for comments, suggestions, reviews, or anything else.
We appreciate your reading. 😊Simple Ways To Say Thanks & Support Us:
1.) ❤️GIVE A TIP. Send a small donation thru Paypal😊❤️
Your DONATION will be used to fund and maintain NEXTGENDAY.com
Subscribers in the Philippines can make donations to mobile number 0917 906 3081, thru GCash.
3.) 🛒 BUY or SIGN UP to our AFFILIATE PARTNERS.
4.) 👍 Give this news article a THUMBS UP, and Leave a Comment (at Least Five Words).
AFFILIATE PARTNERS
World Class Nutritional Supplements - Buy Highest Quality Products, Purest Most Healthy Ingredients, Direct to your Door! Up to 90% OFF.
Join LiveGood Today - A company created to satisfy the world's most demanding leaders and entrepreneurs, with the best compensation plan today.