Microsoft has introduced a new Microsoft Defender for Endpoint (MDE) feature in public preview to help organizations detect weaknesses affecting Android and iOS devices in their enterprise networks.
After enabling the new Mobile Network Protection feature on Android and iOS devices you want to monitor, the enterprise endpoint security platform will provide protection and notifications when it detects rogue Wi-Fi-related threats and rogue certificates (the primary attack vector for Wi-Fi networks).
Threats it can spot include rogue hardware such as Hak5 Wi-Fi Pineapple devices which both pen-testers and cybercriminals can use to capture data shared within the network.
MDE will also alert users to switch networks if it spots a suspicious or unsecured network and push notifications when it discovers open Wi-Fi networks.
While the feature is enabled by default on mobile devices, Microsoft also provides detailed info on configuring network protection on Android and iOS devices via the Microsoft Endpoint Manager Admin center.
“As the world continues to make sense of the digital transformation, networks are becoming increasingly complex and provide a unique avenue for nefarious activity if left unattended,” the company said this week.
“To combat this, Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence.”
Disabling MDE Network Protection (Microsoft)
Cross-platform endpoint security platform
This is part of a broader effort to expand Defender for Endpoint’s capabilities across all major platforms to allow security teams to defend network endpoints via a single, unified security solution.
One month later, Microsoft announced that threat and vulnerability management support for Android and iOS reached general availability in Microsoft Defender for Endpoint.
Android and iOS vulnerability management lets admins decrease mobile endpoints’ surface attack and, in the process, increase their organization’s resilience against incoming attacks.
“With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization – spanning workstations, servers, and mobile devices,” Microsoft said.
Earlier this month, Redmond also said that a new MDE feature allows admins to “contain” unmanaged Windows devices on their network if they were compromised or are suspected to be compromised to block malware and attackers from abusing them to move laterally through the network.
Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022.
“Google is aware that an exploit for CVE-2022-2294 exists in the wild.,” the browser vendor explained in a security advisory published on Monday.
The 103.0.5060.114 version is rolling out worldwide in the Stable Desktop channel, with Google saying that it’s a matter of days or weeks until it reaches the entire userbase.
This update was available immediately when BleepingComputer checked for new updates by going into Chrome menu > Help > About Google Chrome.
The web browser will also auto-check for new updates and automatically install them after the next launch.
Attack details not revealed
The zero-day bug fixed today (tracked as CVE-2022-2294) is a high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team on Friday, July 1.
The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.
Although Google says this zero-day vulnerability was exploited in the wild, the company is yet to share technical details or a any info regarding these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
With this delayed release of more info on the attacks, Chrome users should have enough time to update and prevent exploitation attempts until Google provides additional details.
Fourth Chome zero-day fixed this year
With this update, Google has addressed the fourth Chrome zero-day since the start of the year.
The previous three zero-day vulnerabilities found and patched in 2022 are:
The one fixed in February, CVE-2022-0609, was exploited by North Korean-backed state hackers weeks before the February patch, according to the Google Threat Analysis Group (TAG). The earliest signs of in the wild exploitation was found on January 4, 2022.
It was abused by two North Korean-sponsored threat groups in campaigns pushing malware via phishing emails using fake job lures and compromised websites hosting hidden iframes to serve exploit kits.
Because the zero-day patched today is known to have been used by attackers in the wild, is it strongly recommended to install today’s Google Chrome update as soon as possible.
In the last year, over a billion new Android phones were activated. Ready to join the fun, but not sure which phone is best for you? Consider one that’s loaded with the best of Google, that can fold to fit in your pocket or fit your budget, or has a camera that can capture any shot. Regardless of which phone you choose, making the switch from iPhone to Android has never been easier.
Starting today, support for the Switch to Android app on iOS is rolling out to all Android 12 phones, so you can move over some important information from your iPhone to your new Android seamlessly. Once you’ve got your new Android phone, follow our easy setup instructions to go through the data transfer process. You’ll be prompted to connect your old iPhone with your new Android phone either with your iPhone cable or wirelessly via the new Switch to Android app. The instructions will walk you through how to easily transfer your data like your contacts, calendars and photos over to your new phone.
Once you’re all set up, you can get started on your new Android device by checking out our favorite features.
Express yourself in new ways: With the Messages app and Gboard, it’s easy and enjoyable to send messages — especially between friends who use Android. Group chats, high-quality photo and video sharing, read receipts and emoji reactions are all available thanks to RCS, and thousands of emoji mashup stickers are there to help you express your feelings. (Rest assured, your iPhone friends will still receive your messages as well.)
Video chat with anyone, anywhere: If your friends and family have Google accounts, it’s easier than ever to video chat with Google Meet on Android. Or if you prefer FaceTime, you can still use that in the latest version of Chrome. Or with apps like WhatsApp in Google Play, you can chat with whomever you like for free around the globe. Android has so many options, it’s easy to stay connected with those that matter to you the most.
Tune into your favorite music: Catch up on the latest hits with your preferred streaming service available on Android. And if you had previously purchased and downloaded music on your iPhone, your music will transfer over to your Android phone, as long as it’s digital rights management (DRM)-free. Your purchases and downloaded content from Apple Music will still be accessible on your new Android device by downloading the Apple Music app.
Your favorite apps and more: With Google Play, you’ll find the apps you already use and love, and quickly start to discover so many more. Looking to plan an outdoorsy getaway? Hipcamp will help you book your next camping spot, Skyview Lite will be your stargazing guide to the sky, and AllTrails will help you find a hike that’s perfect for you and your friends. A summer of fun made possible with your new Android.
A privacy-first approach: On your new phone, your data is proactively protected by Android. Android helps defeat bad apps, malware, phishing and spam, and helps keep you one step ahead of threats. Messages, for example, helps protect people against 1.5 billion spam messages per month. Android also provides timely recommendations, like prompting you to select your location-sharing preferences when opening an app to help you make the best decisions for your privacy. Read more about how to keep your data private and secure.
More devices that work better together: Choose from a wide variety of Chromebooks, Wear OS smartwatches, Google TV devices and Fast Pair supported headphones, like Pixel Buds, that work better together with your phone. In fact, some of your Apple products will still work with your Android device, like AirPods.
Get more done with Google apps and services: Traveling on vacation and can’t read the local signs? Scan the text for instant translation so you can get to your destination quickly. Editing a Google Doc on your laptop, but need to finish on the go? You can easily keep work going on your Android phone, too. Google prides itself on being helpful, and the best of Google is built into Android phones.
Share music, photos and more across devices: Nearby Share lets you easily share music, photos and other files between your nearby Android and Chrome OS devices. To share content like photos and videos with non-Android devices, you can easily use sharing built into Google Photos or several other apps that allow you to share with friends and family and keep them in an organized memory bank for the future.
Customize your Home screen with Android Widgets:Widgets are helpful additions to any Home screen, putting the information that’s most important to you right at your fingertips. There will soon be 35 Google widgets available on Android, so whether you want to have easy access to Google Maps’ real-time traffic predictions or have translations at the ready so you can communicate with family and friends, Android is there to make your life a little easier.
Technology that’s useful for everyone: Everyone has their own way of using their devices. That’s why we build accessible features and products that work for the various ways people want to experience the world. Whether you want to use your device without ever needing the screen using TalkBack, or you want to take what’s being said out loud and create a real-time transcript with Live Transcribe, Android has you covered when and how you need it.
And that’s not all. Between our major annual updates, we’re always adding new features to Android.
Microsoft has reminded customers that Windows Server 2012/2012 R2 will reach its extended end-of-support (EOS) date next year, on October 10, 2023.
Released in October 2012, Windows Server 2012 has entered its tenth year of service and has already reached the mainstream end date over three years ago, on October 9, 2018.
Redmond also revealed today that Microsoft SQL Server 2012, the company’s relational database management system, will be retired on July 12, 2022, ten years after its release in May 2012.
Once EOS reached, Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers running the two products.
“Microsoft recommends customers migrate applications and workloads to Azure to run securely. Azure SQL Managed Instance is fully managed and always updated (PaaS),” the company said.
“Customers can also lift-and-shift to Azure Virtual Machines, including Azure Dedicated Host, Azure VMware Solution, and Azure Stack (Hub, HCI, Edge), to get three additional years of extended security updates at no cost.”
Redmond also reminded admins in July 2021 that Windows Server 2012 and SQL Server 2012 will reach their extended support end dates in two years, urging them to upgrade as soon as possible to avoid compliance and security gaps.
“We understand that SQL Server and Windows Server run many business-critical applications that may take more time to modernize,” Microsoft said.
“Customers that cannot meet the end of support deadline and have Software Assurance or subscription licenses under an enterprise agreement enrollment will have the option to buy Extended Security Updates to get three more years of security updates for SQL Server 2012, and Windows Server 2012 and 2012 R2.”
Regarding the pricing scheme for Extended Security Updates, Microsoft says that they will only cost for on-premises deployments:
In Azure: Customers running SQL Server 2012 and Windows Server 2012 and 2012 R2 in Azure will get Extended Security Updates for free.
On-premises: Customers with active Software Assurance or subscription licenses can purchase Extended Security Updates annually for 75 percent of the license cost of the latest version of SQL Server or Windows Server for the first year, 100 percent of the license cost for the second year, and 125 percent of the license cost for the third year.
SQL Server 2008/R2 and Windows Server 2008/R2 Extended Security Updates (ESUs) will also reach their end support on July 12, 2022, and January 10, 2023, respectively.
Customers who will require additional time to upgrade servers may re-host them on Azure for an additional year of free Extended Security Updates (ESUs).
Shadow IT refers to the practice of users deploying unauthorized technology resources in order to circumvent their IT department. Users may resort to using shadow IT practices when they feel that existing IT policies are too restrictive or get in the way of them being able to do their jobs effectively.
An old school phenomenon
Shadow IT is not new. There have been countless examples of widespread shadow IT use over the years. In the early 2000s, for example, many organizations were reluctant to adopt Wi-Fi for fear that it could undermine their security efforts. However, users wanted the convenience of wireless device usage and often deployed wireless access points without the IT department’s knowledge or consent.
The same thing happened when the iPad first became popular. IT departments largely prohibited iPads from being used with business data because of the inability to apply group policy settings and other security controls to the devices. Even so, users often ignored IT and used iPads anyway.
Of course, IT pros eventually figured out how to secure iPads and Wi-Fi and eventually embraced the technology. However, shadow IT use does not always come with a happy ending. Users who engage in shadow IT use can unknowingly do irreparable harm to an organization.
Even so, the problem of shadow IT use continues to this day. If anything, shadow IT use has increased over the last several years. In 2021 for example, Gartner found that between 30% and 40% of all IT spending (in a large enterprise) goes toward funding shadow IT.
Shadow IT is on the rise in 2022
Remote work post-pandemic
One reason for the rise in shadow IT use is remote work. When users are working from home, it is easier for them to escape the notice if the IT department than it might be if they were to try using unauthorized technology from within the corporate office. A study by Core found that remote work stemming from COVID requirements increased shadow IT use by 59%.
Tech is getting simpler for end-users
Another reason for the increase in shadow IT is the fact that it is easier than ever for a user to circumvent the IT department. Suppose for a moment that a user wants to deploy a particular workload, but the IT department denies the request.
A determined user can simply use their corporate credit card to set up a cloud account. Because this account exists as an independent tenant, IT will have no visibility into the account and may not even know that it exists. This allows the user to run their unauthorized workload with total impunity.
In fact, a 2020 study found that 80% of workers admitted to using unauthorized SaaS applications. This same study also found that the average company’s shadow IT cloud could be 10X larger than the company’s sanctioned cloud usage.
Know your own network
Given the ease with which a user can deploy shadow IT resources, it is unrealistic for IT to assume that shadow IT isn’t happening or that they will be able to detect shadow IT use. As such, the best strategy may be to educate users about the risks posed by shadow IT. A user who has a limited IT background may inadvertently introduce security risks by engaging in shadow IT. According to a Forbes Insights report 60% of companies do not include shadow IT in their threat assessments.
Similarly, shadow IT use can expose an organization to regulatory penalties. In fact, it is often compliance auditors – not the IT department – who end up being the ones to discover shadow IT use.
Of course, educating users alone is not sufficient to stopping shadow IT use. There will always be users who choose to ignore the warnings. Likewise, giving in to user’s demands for using particular technologies might not always be in the organization’s best interests either. After all, there is no shortage of poorly written or outdated applications that could pose a significant threat to your organization. Never mind applications that are known for spying on users.
The zero-trust solution to Shadow IT
One of the best options for dealing with shadow IT threats may be to adopt zero trust. Zero-trust is a philosophy in which nothing in your organization is automatically assumed to be trustworthy. User and device identities must be proven each time that they are used to access a resource.
There are many different aspects to a zero-trust architecture, and each organization implements zero-trust differently. Some organizations for instance, use conditional access policies to control access to resources. That way, an organization isn’t just granting a user unrestricted access to a resource, but rather is considering how the user is trying to access the resource. This may involve setting up restrictions around the user’s geographic location, device type, time of day, or other factors.
Zero-trust at the helpdesk
One of the most important things that an organization can do with regard to implementing zero trust is to better secure its helpdesk. Most organizations’ help desks are vulnerable to social engineering attacks.
When a user calls and requests a password reset, the helpdesk technician assumes that the user is who they claim to be, when in reality, the caller could actually be a hacker who is trying to use a password reset request as a way of gaining access to the network. Granting password reset requests without verifying user identities goes against everything that zero trust stands for.
Strong, unique passwords are key to helping keep your personal information secure online. That’s why Google Password Manager can help you create, remember and autofill passwords on your computer or phone: on the web in Chrome, and in your favorite Android and iOS apps.
Today we’ve started rolling out a number of updates that help make the experience easier to use, with even stronger protections built in.
A consistent look and feel, across web and apps
We’re always grateful for feedback, and many of you have shared that managing passwords between Chrome and Android has been confusing at times: “It’s the same info in both places, so why does it look so different?” With this release, we’re rolling out a simplified and unified management experience that’s the same in Chrome and Android settings. If you have multiple passwords for the same sites or apps, we’ll automatically group them. And for your convenience, you can create a shortcut on your Android home screen to access your passwords with a single tap.
You can now add a shortcut to Google Password Manager to your Android homescreen.
More powerful password protections
Google Password Manager can create unique, strong passwords for you across platforms, and helps ensure your passwords aren’t compromised as you browse the web. We’re constantly working to expand these capabilities, which is why we’re giving you the ability to generate passwords for your iOS apps when you set Chrome as your autofill provider.
You can now create strong passwords on your computer or mobile, on any operating system.
Chrome can automatically check your passwords when you enter them into a site, but you can have an added layer of confidence by checking them in bulk with Password Checkup. We’ll now flag not only compromised credentials, but also weak and re-used passwords on Android. If Google warns you about a password, you can now fix them without hassle with our automated password change feature on Android.
For your peace of mind, Password Checkup on Android can flag compromised, weak and reused passwords.
To help protect even more people, we’re expanding our compromised password warnings to all Chrome users on Android, Chrome OS, iOS, Windows, MacOS and Linux.
Simplified access and password management
Google built its password manager to stay out of your way — letting you save passwords when you log in, filling them when you need them and ensuring they aren’t compromised. However, you might want to add your passwords to the app directly, too. That’s why, due to popular demand, we’re adding this functionality to Google Password Manager on all platforms.
Adding your passwords directly is now possible on all platforms.
In 2020, we announced Touch-to-Fill to help you fill your passwords in a convenient and recognizable way. We’re now bringing Touch-to-Login to Chrome on Android to make logging in even quicker by allowing you to securely log in to sites directly from the overlay at the bottom of your screen.
Touch-to-Login signs you in directly from a recognizable overlay.
Many of these features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security experts based in Munich, so Guten Tag from the team! Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification, to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.
But reliable recognition isn’t just about the big things — done well, even the smallest details of your WordPress website can help it stand out from the crowd and attract customer notice. This is the role of the favorite icon or “favicon” that’s used in web browser tabs, bookmarks, and on mobile devices as the app image for your site.
Not sure how favicons work or how to get them up and running on your site? We’ve got you covered with our functional guide to favicons — what they are, why they matter, and how to enable them in WordPress.
The official WordPress support page defines a favicon as “an icon associated with a particular website or web page.” This description doesn’t do the term justice — in fact, favicons are everywhere and are intrinsically associated with your brand.
Let’s take a closer look at how favicons look and why they matter below.
WordPress Favicon Size
The typical size of a WordPress favicon is 512 x 512 pixels. These icons are stored as .ico files in the root directory of your WordPress server.
But what does a favicon look like in real life? For a quick example, take a look at the browser tab of this webpage if you’re on a desktop or the area just under the address bar on your mobile device. Notice anything? That orange symbol with lines and circles is HubSpot’s favicon — and it shows up anytime you’re on our site.
In most cases, favicons are the same as brand logos scaled down to fit web and mobile browsers. Where this isn’t possible — such as cases where your logo is too complex or detailed — site owners typically opt for similar color schemes and thematic elements to ensure brand consistency.
Once you start seeing favicons you can’t unsee them; from webpages to tabs to bookmarks and mobile applications, the icon you choose for your favicon is inextricably linked to your site and your brand — so make sure you choose wisely.
Why Favicons Matter
Favicons are the visual currency of your brand. They’re everywhere — from browsers to bookmarks to mobile apps — and become an integral part of your site’s overall branding strategy.
As result, effective favicon design and deployment offers three broad benefits:
Improved Brand Recognition
Think of your favicon like your calling card — the icon needs to be simple, recognizable and consistent. The more places your favicon appears, the better, since this makes it easy for users to connect your WordPress site with your icon image.
Consistency is also key as users open multiple browser tabs and the available space for text descriptions naturally shrinks. Open enough tabs and all that’s left is — you guessed it — room for the favicon.
Increased Consumer Confidence
While visitors may not be able to define what a favicon is or how it works, these icons are inherently familiar. So familiar, in fact, that sites without favicons often stand out from the crowd for all the wrong reasons.
Much like relevant social media content and secure site connections, favicons are critical to boosting consumer confidence in the products or services you offer on your site.
Integrated Mobile Consistency
The impact of mobile devices can’t be ignored, with smartphones and tablets now outpacing desktops as the primary means of consumer online interaction. Favicons make it possible to ensure your brand easily translates to mobile — when users create website bookmarks on mobile home screens, your favicon stands in for the link.
Favicon Creation Guidelines
Not sure how to get started creating your site’s favicon? Let’s break down some best-practice guidelines.
1. Get the size right.
As noted above, favicons are typically 512 x 512 pixels in size. While it’s possible to use a larger WordPress favicon size, the platform will often ask you to crop the image down.
2. Keep it simple.
While it’s possible to add background colors and other customization to your favicon, keeping it simple is often the best choice. Here, simplicity includes opting for transparency over background colors and keeping the number of foreground colors in your favicon to one or two at most.
Ideally, your favicon will look almost identical to your brand’s logo — if that’s not possible, try to pull elements from your logo such as shapes or color schemes that help tie in your new favicon.
3. Choose wisely.
Site owners can update their favicon at any time, but it’s a good idea to keep the number of changes to a minimum. Here’s why: If users see a different favicon every time they log on to your website, they won’t have an opportunity to associate a specific image with your brand.
Bottom line? Better to go without a favicon until you find one that works for your site and that you don’t plan on changing.
How to Enable WordPress Favicons
To get your favicon up and running on your WordPress site, you’ve got three options:
Use the Site Icon feature
Install a favicon plugin
Upload the new favicon yourself
Let’s break down each method in more detail.
1. Use the site icon feature.
As of WordPress version 4.3, the content management system (CMS) includes a Site Icon function that enables favicons. Simply prepare your image file — which can be a .jpeg, .ico, .gif or .png file — and head to the Administration page of your WordPress Site.
Next, click on “Appearance” and then “Customize”, then click “Site Identity.” Now, click “Select Image” under the Site Icon subheading and upload the file you’ve prepared. You should see a screen like this:
If you like the favicon you’ve created, no further action is required. If not, you can easily remove the file or upload a new image.
2. Install a favicon plugin.
You can also use a plugin — such as Favicon by RealFaviconGenerator — to create and deploy your favicon. This must-have WordPress plugin not only lets you customize your favicon but also ensures that multiple versions are created to satisfy the requirements of different operating systems and device versions.
As long as the image you upload to the plugin is at least 70 x 70 pixels, the RealFaviconGenerator will take care of the rest.
3. Upload the new favicon yourself.
If you’d rather do the legwork yourself, you can create and upload your own favicon to your WordPress site.
First, create an image that’s at least 16 x 16 pixels and is saved as a .ico file. Then, use an FTP client to upload this file to the main folder of your current WordPress theme — typically the same place as your wp-admin and wp-content folders.
While this should display your favicon in most web browsers, some older browser versions will require you to edit WordPress header HTML code. The result? DIY favicons aren’t recommended unless you’re familiar with more technical WordPress functions.
Final Favicon Thoughts
Whie favicons form only a small part of your WordPress website build, they’re critical for website recognition. Consistent and clear favicons make it easy for visitors to remember your site and carry this mental connection across desktop, tablet, and mobile devices.
When API (Application Programming Interfaces) calls are made to the NVP/SOAP servers, PayPal strongly recommends that you use Domain Name Service (DNS) results with the default Time To Live (TTL) values, to determine the IP addresses of our servers.
PayPal does not recommend adding IPs to an allow list. If you must allow list the IP addresses for any of these domains, use the following ranges:
173.0.80.0/20
64.4.240.0/21
64.4.248.0/22
66.211.168.0/22
91.243.72.0/23
The above IPs are applicable to the following Live and Sandbox Endpoints:
Google this week announced that new warnings added in the Google Workspace Alert Center will keep administrators notified of critical and sensitive configuration changes.
Previously known as G Suite, Google Workspace provides secure collaboration and productivity tools for enterprises of all sizes. Accessible from anywhere in Google Workspace, the Alert Center delivers real-time security alerts and insights, to help admins mitigate threats such as phishing and malware.
With the new alerts in place, admins will also receive notifications whenever select changes are made to their Google Workspace configurations.
Specifically, warnings will be displayed when the primary admin is changed, when the password for a super admin account has been reset, and when changes are made to SSO profiles – when a third-party SSO profile has been added, updated, or deleted for the organization.
“These additional intelligent alerts will closely monitor several sensitive actions, making it easier for admins to stay on top of high-risk changes to their environment and potentially malicious actions being taken by bad actors,” Google explains.
An email notification containing key details on the event will be delivered to admins and super admins for each alert. The security investigation tool will allow admins to further investigate the reported incident.
The alerts and their associated email notifications are enabled by default and cannot be turned off.
The new capability is rolling out to all Google Workspace customers, including legacy G Suite Basic and Business customers, and is expected to become visible for everyone in the next couple of weeks.
Earlier this year, Google boosted malware and phishing protections in Workspace with updated comment notifications that now also include the commenter’s email address, so that users can better assess the legitimacy of the message.
Cybersecurity firm Checkmarx has published details on a high-severity vulnerability in the Amazon Photos Android application that could have allowed malicious apps to steal an Amazon access token.
With more than 50 million downloads, Amazon Photos offers cloud storage, allowing users to store photos and videos at their original quality, as well as to print and share photos, and to display them on multiple Amazon devices.
In November 2021, Checkmarx researchers identified an issue in the application that could have leaked the Amazon access token to malicious applications on the user’s device, potentially exposing the user’s personal information. The bug was addressed in December 2021.
The leaked Amazon access token is used for user authentication across Amazon APIs, including some that contain personal information such as names, addresses, and emails. Through the Amazon Drive API, for example, the attacker could access the user’s files, Checkmarx says.
The issue, the researchers explain, resided in a misconfigured component that was “exported in the app’s manifest file, thus allowing external applications to access it.”
The issue resulted in the access token being sent in the header of a HTTP request, but the most important aspect was the fact that an attacker could control the server receiving this request.
“The activity is declared with an intent-filter used by the application to decide the destination of the request containing the access token. Knowing this, a malicious application installed on the victim’s phone could send an intent that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker,” Checkmarx notes.
The leaked token could provide the attacker with access to all of the user information available through the Amazon API. Using the Amazon Drive API, the attacker could access users’ files and read, re-write, or delete their contents.
The researchers also explain that the access token could have allowed anyone to modify files and erase their history, to prevent recovery, or could have completely deleted files and folders from the user’s Amazon Drive account.
“With all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history,” the researchers say.
The vulnerability might have had a wider impact, given that the potentially affected APIs that the researchers identified represent only a small subset of the entire Amazon ecosystem, Checkmarx also notes.
