Amazon has patched a high-severity vulnerability in its Ring app for Android devices in May, according to application security firm Checkmarx. The security firm was able to enable a rogue application on the targeted Android device to access sensitive information and camera recordings.
Checkmarx reported that it leveraged a cross-site scripting attack (XSS) to trick targeted victims into downloading a malicious application on their Android device.
The attack could then get a hold of the user’s authentication token and extract the user’s session cookie encoded in the token to Ring’s mobile authentication endpoint.
This would allow the attacker to sign into the victim’s account without having to know their password. All personal data would now be accessible including geographic location, personally identifiable information, and device recordings.
Amazon has fully patched the vulnerability as of May 27, 2022 in Ring app version 3.51.0.
Amazon reports that there are no known real-world attacks leveraging this vulnerability, and explained that the exploit was “extremely difficult” to carry out.
