#1 Trusted Cybersecurity News Platform
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: amazon

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

November 16, 2022Ravie Lakshmanan
Hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing personal identifiable information (PII), new findings from Mitiga, a cloud incident response company, show. "Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns," researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik said in a report shared with The Hacker News. This includes names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins. Amazon RDS is a  web service  that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server. The root cause of the leaks stems from a feature called public  RDS snapshots , which allows for creating a backup of the entire da
New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

August 19, 2022Ravie Lakshmanan
Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user's device to access sensitive information and camera recordings. The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx  explained  it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app. The app can then be used to get hold of the user's Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device's hardware ID, which is also encoded in the token, to the endpoint "ring[.]com/mobile/authorize." Armed with th
Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

July 16, 2022Ravie Lakshmanan
Following the launch of a new "Data safety" section for Android apps on the Play Store, Google appears to be readying to remove the app permissions list from both the mobile app and the web. The change was  highlighted  by Esper's Mishaal Rahman earlier this week. The  Data safety  section, which Google began rolling out in late April 2022, is the company's answer to Apple's Privacy Nutrition Labels in iOS, allowing users to have a unified view of an app's data collection and processing practices. To that end, third-party app developers are required to furnish the required details by July 20, 2022. With this deadline now approaching next week, the tech giant has taken the step of entirely removing the permissions section. The decision also appears to be a hasty one, as a number of popular apps such as Facebook, Messenger, Instagram, WhatsApp, Amazon (including Amazon Prime Video), DuckDuckGo, Discord, and PhonePe are yet to populate their Data safety sec
Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

July 01, 2022Ravie Lakshmanan
Amazon, in December 2021, patched a high severity vulnerability affecting its  Photos app  for Android that could have been exploited to steal a user's access tokens. "The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino  said . "Others, like the Amazon Drive API, allow an attacker full access to the user's files." The Israeli application security testing company reported the issue to Amazon on November 7, 2021, following which the tech giant rolled out a fix on December 18, 2021. The leak is the result of a misconfiguration in one of the app's components named "com.amazon.gallery.thor.app.activity.ThorViewActivity" that's defined in the  AndroidManifest.xml file  and which, when launched, initiates an HTTP request with a header containing the access token. In a nutshell, it
Former Amazon Employee Found Guilty in 2019 Capital One Data Breach

Former Amazon Employee Found Guilty in 2019 Capital One Data Breach

June 21, 2022Ravie Lakshmanan
A 36-year-old former Amazon employee was convicted of wire fraud and computer intrusions in the U.S. for her role in the theft of personal data of no fewer than 100 million people in the  2019 Capital One breach . Paige Thompson , who operated under the online alias "erratic" and worked for the tech giant till 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer. The seven-day trial saw the jury acquitted her of other charges, including access device fraud and aggravated identity theft. She is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison. "Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,"  said  U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer s
Amazon's Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug

Amazon's Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug

April 21, 2022Ravie Lakshmanan
The "hotpatch" released by Amazon Web Services (AWS) in response to the  Log4Shell  vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host. "Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution," Palo Alto Networks Unit 42 researcher Yuval Avrahami  said  in a report published this week. The issues —  CVE-2021-3100 ,  CVE-2021-3101 ,  CVE-2022-0070 , and  CVE-2022-0071  (CVSS scores: 8.8) — affect the  hotfix solutions  shipped by AWS, and stem from the fact that they are designed to search for Java processes and patch them against the Log4j flaw on the fly but without ensuring that the new Java processes are run within the restrictions imposed on the container. "Any process running a binary named 'java' – inside or outside of a container – is considered a candidate for the hot patch,"
Your Amazon Devices to Automatically Share Your Wi-Fi With Neighbors

Your Amazon Devices to Automatically Share Your Wi-Fi With Neighbors

May 31, 2021Ravie Lakshmanan
Starting June 8, Amazon will automatically enable a feature on its family of hardware devices, including Echo speakers, Ring Video Doorbells, Ring Floodlight Cams, and Ring Spotlight Cams, that will share a small part of your Internet bandwidth with nearby neighbors — unless you choose to opt-out. To that effect, the company intends to register all compatible devices that are operational in the U.S. into an ambitious location-tracking system called Sidewalk as it prepares to roll out the shared mesh network in the country. Originally  announced  in September 2019,  Sidewalk  is part of Amazon's efforts to build a long-range wireless network that leverages a combination of Bluetooth and 900 MHz spectrum ( FSK ) to help Echo, Ring, Tile trackers, and other Sidewalk-enabled devices communicate over the internet without Wi-Fi. Sidewalk is designed to extend the working range of low-bandwidth devices, and help devices stay connected even if they are outside the range of a user's
ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

February 26, 2021Ravie Lakshmanan
Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. The findings were presented on Wednesday at the Network and Distributed System Security Symposium (NDSS) conference by a group of academics from Ruhr-Universität Bochum and the North Carolina State University, who analyzed 90,194 skills available in seven countries, including the US, the UK, Australia, Canada, Germany, Japan, and France. Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.  Chief among the findings is the concern that
Chinese Spying Chips Found Hidden On Servers Used By US Companies

Chinese Spying Chips Found Hidden On Servers Used By US Companies

October 04, 2018Mohit Kumar
A media report today revealed details of a significant supply chain attack which appears to be one of the largest corporate espionage and hardware hacking programs from a nation-state. According to a lengthy report published today by Bloomberg, a tiny surveillance chip, not much bigger than a grain of rice, has been found hidden in the servers used by nearly 30 American companies, including Apple and Amazon. The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China. The report, based on a 3-year-long top-secret investigation in the United States, claims that the Chinese government-affiliated groups managed to infiltrate the supply chain to install tiny surveillance chips to motherboards which ended up in servers deployed by U.S. military, U.S. intelligence agencies, and many U.S. companies like Apple and Amazon. "Apple made its discovery of suspi
Amazon's Whole Foods Market Suffers Credit Card Breach In Some Stores

Amazon's Whole Foods Market Suffers Credit Card Breach In Some Stores

September 29, 2017Swati Khandelwal
Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach. Whole Foods Market—acquired by Amazon for $13.7 billion in late August— disclosed Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores. Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada. The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details. The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach. Instead, only certain venu
US Defense Contractor left Sensitive Files on Amazon Server Without Password

US Defense Contractor left Sensitive Files on Amazon Server Without Password

May 31, 2017Swati Khandelwal
Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation's top intelligence contractor without a password, according to a new report. UpGuard cyber risk analyst Chris Vickery discovered  a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access. The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors. Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials. Master Credentials to a Highly-Protected Pentagon System were Exposed Roughly 28GB of exposed documents included the privat
How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet

How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet

March 03, 2017Swati Khandelwal
The major internet outage across the United States earlier this week was not due to any virus or malware or state-sponsored cyber attack, rather it was the result of a simple TYPO. Amazon on Thursday admitted that an incorrectly typed command during a routine debugging of the company's billing system caused the 5-hour-long outage of some Amazon Web Services (AWS) servers on Tuesday. The issue caused tens of thousands of websites and services to become completely unavailable, while others show broken images and links, which left online users around the world confused. The sites and services affected by the disruption include Quora, Slack, Medium, Giphy, Trello, Splitwise, Soundcloud, and IFTTT, among a ton of others. Here's What Happened: On Tuesday morning, members of Amazon Simple Storage Service (S3) team were debugging the S3 cloud-storage billing system. As part of the process, the team needed to take a few billing servers offline, but unfortunately, it end
Police Ask for Amazon Echo Data to Help Solve a Murder Case

Police Ask for Amazon Echo Data to Help Solve a Murder Case

December 28, 2016Swati Khandelwal
Hey, Alexa! Who did this murder? Arkansas police are seeking help from e-commerce giant Amazon for data that may have been recorded on its Echo device belonging to a suspect in a murder case, bringing the conflict into the realm of the Internet of Things. Amazon Echo is a voice-activated smart home speaker capable of controlling several smart devices by integrating it with a variety of home automation hubs. It can do tasks like play music, make to-do lists, set alarms, and also provide real-time information such as weather and traffic. As first reported by The Information, authorities in Bentonville have issued a warrant for Amazon to hand over audio or records from an Echo device belonging to James Andrew Bates in the hope that they'll aid in uncovering additional details about the murder of Victor Collins. Just like Apple refused the FBI to help them unlock iPhone belonging to one of the San Bernardino terrorists, Amazon also declined to give police any of the info
Hackers leak 13,000 Passwords Of Amazon, Walmart and Brazzers Users

Hackers leak 13,000 Passwords Of Amazon, Walmart and Brazzers Users

December 27, 2014Mohit Kumar
Hackers claiming affiliation with the hacktivist group "Anonymous" have allegedly leaked more than 13,000 username and password combinations for some of the worlds most popular websites, including Amazon, Xbox Live and Playstation Network . The stolen personal information was released in a massive text document posted to the Internet file-sharing website Ghostbin  (now deleted) , on Friday. The document contains a huge number of usernames and passwords, along with credit card numbers and expiration dates. The news came just a day after the hacker group Lizard Squad compromised Sony's Playstation and Microsoft's Xbox Live gaming networks on Christmas day, which is estimated to have affected Xbox's 48 million subscribers and PlayStation's 110 million users, making it a total of more than 150 million users worldwide. However, data breach of 13,000 users is not the biggest data breach we've ever seen. When millions of passwords are used for sites ar
U.S. based Cloud Hosting providers contribute 44% of Malware distribution

U.S. based Cloud Hosting providers contribute 44% of Malware distribution

January 20, 2014Anonymous
U.S. has the top Security Agencies like NSA, FBI to tackle cyber crime and terrorism with their high profile surveillance technologies, but even after that U.S is proudly hosting 44% of the entire cloud based malware distribution. With the enhancement in Internet technology, Cloud computing has shown the possibility of existence and now has become an essential gradient for any Internet Identity. Cloud services are designed in such a way that it is easy to maintain, use, configure and can be scaled depending upon the requirement of the service being provided using the CLOUD technology with cost effective manner. Due to the Easy and Cost effective alternative of traditional computing, Malware writers are using the big cloud hosting platforms to quickly and effectively serve malware to Internet users, allowing them to bypass detection and geographic blacklisting by serving from a trusted provider. Hiding behind trusted domains and names is not something new. According to recently
Deals — IT Courses and Software

Sign up for our cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.