Do you use Amazon Photos? The Android app had a serious security flaw (already fixed) that could have put all your images and videos at risk.

After Google removed the free unlimited storage of Google Photos, a good number of users of the platform decided to make the leap to Amazon Photos, the alternative created by the company founded by Jeff Bezos, whose main virtue was the option to enjoy free unlimited storage for all users. Amazon Prime subscribers.

But it seems that the solution developed by Amazon is not problem free. As confirmed from the CheckMarX portal, Amazon has admitted a serious security problem that has been present in its image and video storage platform in the cloud. The vulnerability would have allowed attackers gain access to users’ content, and wipe their drives cloud storage completely.

The security flaw affected the Amazon Photos app for Android

As the researchers have confirmed, the vulnerability was discovered in the version of Amazon Photos for Android. It was determined that the app, with more than fifty million downloads on Google Play, had a loophole that could allow attackers access user files and modify or delete them remotely.

The origin of the vulnerability lies in a configuration failure in one of the “Activities” that make up the application. Apparently the component com.amazon.gallery.thor.app.activity.ThorViewActivity had the ability to export user access token over an insecure HTTP connection, which would allow an attacker intercept said token.

When trying to exploit this vulnerability, attackers only had to get token through a malicious app installed on the victim’s device, to later gain access to all private user content offered by the Amazon API, including the images and videos saved in Amazon Photos.

“This token could be used to list client files using the Amazon Drive API, and then read, rewrite, or even delete the contents of each.”

But the problems go deeper: the researchers discovered that anyone with the user’s access token could clear history of files, so that the original version of these could not be recovered.

From CheckMarX they informed Amazon of the discovery on November 7, 2021, and Amazon classified the problem as “high severity”. A few weeks later, the update containing the patch aimed at solving the problem.

