A high-severity flaw successful the Amazon Photos Android App — which has much than 50 cardinal downloads — could let attackers to bargain a user's Amazon entree token and usage it to entree aggregate Amazon APIs.
The analysts said the bug is owed to a constituent misconfiguration successful the app's manifest file.
"Whenever this enactment is launched, it triggers an HTTP petition that carries a header with the customer's entree token," the squad said. After receiving the request, the analysts recovered they could besides summation power of the server.
The study added that, "with each these options disposable for an attacker, a ransomware script was casual to travel up with arsenic a apt onslaught vector. A malicious histrion would simply request to read, encrypt, and re-write the customer’s files portion erasing their history."
To support themselves, users should update to the latest mentation of the app. Checkmarx researchers said that downloads made earlier Dec. 18 are affected if users haven't updated the app since then.