Amazon Quickly Fixed a Vulnerability in Ring Android App That Could Expose Users’ Camera Recordings

Intro

Researchers at Checkmarx found that the Ring Android app could have allowed a malicious application installed on the user’s phone to steal their personal data, geolocation, and camera recordings.

Ring by Amazon operates in the home security space and manufactures products that include outdoor and indoor surveillance cameras. Their Android application has been downloaded over 10 million times.

Technical Details

The vulnerability was found in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, as such, was accessible to other applications on the same device.

This activity would accept, load, and execute web content from any server, as long as the Intent’s

destination URI contained the string “/better-neighborhoods/”.

We could use adb to replicate a valid Intent:
Image

The attacker-controlled web page could then interact with the WebView’s JavaScript interfaces, as long as it was served from a “ring.com” or “a2z.com” subdomain.

The team at Checkmarx was able to find a Reflected Cross-Site Scripting (XSS) vulnerability in cyberchef.schlarpc.people.a2z.com, which allowed them to complete this attack chain.

Knowing of this vulnerability, an attacker could trick victims into installing a malicious application

that triggered the following Intent to complete the attack:
Image

This payload redirects the WebView to the malicious web page, which can access the

    NATIVE BRIDGE   .getToken() JavaScript Interface that grants access to an Authorization

Token, which can then be exfiltrated to an attacker-controlled server.

This token is a Java Web Token (JWT), which is insufficient to authorize calls to Ring’s multiple APIs. Authorization is enforced using an rs_session cookie.

However, this cookie can be obtained by calling the https://ring.com/mobile/authorize endpoint with both a valid Authorization Token plus the corresponding device’s Hardware ID.

Luckily for our researchers, this Hardware ID was encoded into the token.

With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings.

More specifically, the following APIs were used:

  • https://acount.ring.com/account/control-center – used to obtain the victim’s personal data and device ID
  • https://account.ring.com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – used to obtain the device data and recordings

Let’s Scale the Attack

Looking at a vulnerability, with the potential of getting an attacker more videos than they can investigate, the researchers decided to take it one step further by using the excellent Amazon Rekognition service. Rekognition can be used to automate the analysis of these recordings and extract information that could be useful for malicious actors.

Rekognition can scan an unlimited number of videos and detect objects, text, faces, and public

figures, among other things.

To further demonstrate the impact of this vulnerability, the researchers showed how this service could be used to read sensitive information from computer screens and documents visible to the Ring cameras and to track people’s movements in and out of a room.

Due to the high potential impact of the vulnerability and the high likelihood of success in real attack scenarios, Amazon considered this a high-severity issue and released a fix for it soon after it was reported.

Timeline

1-May-2022 Full findings reported to the Amazon Vulnerability Research Program

1-May-2022 Amazon confirmed receiving the report

[CONFIRMING DATE WITH AMAZON] Amazon declared issues are resolved and fix deployed into production

Epilogue

It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process. For this reason, and for great collaboration, we’re granting Amazon’s Security Team the Checkmarx Seal of Approval.

And, as always, our security research team will continue to focus on ways to improve application security practices everywhere.

Liked this post? Follow SwirlingOverCoffee on Facebook, YouTube, and Instagram.