Amazon Fixes Critical Vulnerabilities In Fire Phones

amazon vulnerability

Online shopping giant Amazon has fixed three critical vulnerabilities in its Fire smartphones. Two of the vulnerabilities identified by MWR experts exists in the CertInstaller package. An attacker could exploit the vulnerabilities in the package to install certificates on Amazon Fire devices without user interaction.

As the result, the encrypted traffic that does not make use of certificate pinning could be hijacked by an attacker sitting in a man-in-the-middle position.

The devices using Fire OS version lower than 4.6.1 are also affected by a vulnerability in the USB Debugging feature.

The vulnerability in the USB Debugging feature could allow an attacker to install malicious applications, bypass the lock screen, access a shell on the device, or steal application data (only if the USB debugging mode is turned on).

"Users are advised to only install applications from trusted sources and exclusively make use of trusted networks," MWR said in its advisory. "Users that notice any notifications regarding 'Certificate Installed' should immediately remove the certificate and uninstall any possibly malicious applications that were recently added."

No comments

Powered by Blogger.