Amazon Users’ Photos Exposed as a Result of Leaky Access Tokens
Table of Contents
- By Steven
- Published: Jul 07, 2022
- Last Updated: Jul 07, 2022
Leaky access tokens have created quite the digital storm as we transition to the second half of 2022. Hackers employed Amazon user authentication tokens to encrypt or steal pictures and documents. The Android Amazon Photos app for Android failed to safeguard user access tokens. Amazon revealed the security failure this past Wednesday.
How are Exposed Tokens Used in the Attack?
Amazon relies on user access tokens to authenticate users on certain apps within the overarching ecosystem. Such a system is common practice for software companies as it proves convenient for aggressors and users.
Digital criminals have gone to great lengths to take full advantage of exposed tokens. They use expired tokens differently, based on each attack's nuances. The tokens set the stage to access targets' personal information from several Amazon apps, from Amazon Drive to Photos and beyond. Furthermore, the exposed tokens also set the stage for a ransomware attack, permanently deleting pictures, locking images, and even the theft or erasure of essential documents.
The access tokens slowly move through the Amazon API, short for application programming interface, by way of a misconfiguration of components that exports the manifest file within the app. Manifest files detail critical application details to the Google Play store and Android OS, setting the stage for external applications to obtain access.
Once the activity begins, the catalyst is an HTTP request that carries a header with the user access token. In simple terms, the password is transmitted to apps using plaintext. The attack shared unsecured tokens with services beyond third-party applications, including Amazon Drive. Most people use Amazon Drive for the storing and sharing of files.
When Did Amazon and Its Customers Learn of the Attack?
The findings date back to the first week of November 2021. Amazon Vulnerability Research Program began sorting through the results quickly. Fast forward about a month later, and Amazon declared that the security issue was no longer a significant threat to the security of files, folders, networks, etc.
What is the Fate of the Data?
The data in question could have been stolen or erased. Furthermore, hackers could have used unsecured access tokens in other ways, such as installing harmful third-party apps for the redirection of tokens in a manner that triggers activity that can lead to significant harm. At this point, the attacker can access a wide array of highly sensitive personal information targets stored within Amazon Photos. The fact that the tokens were found on Amazon Drive indicates the aggressors could have pinpointed, read, or possibly even permanently erased files as well as folders within a target's account.
Ransomware ultimately emerges as the most likely means of aggression. All the criminal would have to do is read, encrypt, and edit the customer's files without deleting the history. The question is, how many apps did the attack target with the tokens. The key takeaway from this story and the litany of other data breaches is that every business and computer owner should bolster their digital defenses to keep pace with an ever-evolving digital landscape.