A high-severity flaw in the Amazon Photos app's authentication system could allow Amazon users' access tokens to be stolen and then used to gain access to several Amazon APIs. The company has already been warned about the vulnerability by specialists from Checkmarx. The researchers said the vulnerability is due to a misconfiguration of a component in the application's manifest file.

"Launching this action triggers an HTTP request that contains a header with the user’s access token," say the specialists. Upon receiving the request, the analysts discovered that they could also take control of the server.

Experts strongly recommend that users update the application to the latest version, where the vulnerability has already been fixed.

Source: securitylab.ru