Owner security

Security Researcher Discovers Amazon Ring Vulnerability to Let Hackers Spy on You

A security researcher was able to find a flaw in the Amazon Ring app that could lead hackers to spy on people. Hackers could use this exploit to be able to watch saved recordings.

Vulnerability in the Amazon Ring app has been categorized as “high severity”

According to the Tom’s Guide story, a vulnerability in the Amazon Ring app rated as very serious could have allowed hackers to access critical data. Hackers could have used the vulnerability to spy on recorded camera recordings.

Although the vulnerability has already been patched, a report from Bleeping Computer notes that the vulnerability was first discovered by security researcher Checkmarx. The company was quick to share its findings with Amazon.

The Ring app has gotten million downloads worldwide, meaning the scope of the vulnerability could be extremely wide

The Ring app has already been downloaded over ten million times and used around the world. Due to its popularity, the vulnerability is quite worrying as there have been no reports of how far hackers were able to access it.

According to Tom’s Guide, users who haven’t updated their Android Ring app recently should go ahead and install the latest version so they can prevent hackers from accessing users’ backed up security camera recordings.

Ring app vulnerability could be exposed by other apps on owner’s device

Checkmarx published a blog post detailing its findings. The researchers explained that what they found in the Ring app for Android was that it could expose activity that could be initiated by any other app installed on the owner’s device.

The activity in question was specifically com.ringapp/com.ringnh.deeplink.DeppLinkActivity and was exposed in the app’s manifest, allowing other installed apps to easily launch it.

Researchers were able to circumvent the restrictions by finding an XSS vulnerability

By launching the activity, the Checkmarx researchers were able to discover that they would be able to set up a web server in order to interact with it. However, only web pages from ring.com or a2z.com domains were able to interact with it.

The researchers then circumvented the restrictions by finding a vulnerability called cross-site scripting XSS. The researchers then exploited the vulnerability to obtain the Ring login cookie.

Read also : Apple refused to patch iOS VPN vulnerability despite being reported two years ago, researcher claims

Malicious apps could use the exploit to gain access to users’ Amazon Ring app data

When researchers had access to a Ring login cookie, they could then use Ring’s APIs to access personal data from customers. The data included emails, phone numbers, full names, and device data from their Ring products.

The data they were able to obtain from Ring products included the owner’s address, geolocation and saved records. According to Tom’s Guide, attackers could have created a malicious app and uploaded it to Play Store to send them Ring client authentication cookies.

Related article: Android users should remove these popular apps now as they face malware risks

This article belongs to Tech Times

Written by Urian B.

ⓒ 2022 TECHTIMES.com All rights reserved. Do not reproduce without permission.