Trustlook security team has decided to disclose a vulnerability we discovered on Audible, an Amazon App.
Audible is a popular audio book App with 10M-50M installs. When accessing the backend server on AWS, Audible improperly handles the access method. The AWS credentials with the root privilege has been hardcoded inside the binary code of a library file. An attacker could extract the keys by reverse engineering, and gain access of Audible’s cloud infrastructure, do anything on behalf of the developer’s AWS account, including:
- Create or shut down Amazon EC2 hosts
- Add or delete Amazon S3 storage servers
- Manipulate SNS and SQS services
- Other features supported by AWS API: access backup volumes/snapshots, change security groups, etc…
The possibility that unauthorized access and data leak has already happened on Audible’s cloud server cannot be excluded.
After the initial reporting, Trustlook has been actively contact Audible to fix this issue. On April 22, Audible has patched this vulnerability in a new release.
|Mar 29||Vulnerability discovered|
|Apr 4||Vulnerability reported to Audible|
|Apr 17||Contact established|
|Apr 17||Audible claims a fix was in place, pending on releasing|
|Apr 22||Fixed version released on Google Play|