I think we need to talk about Amazon Photos

January 6, 2022 Paul E King 0 Comments

I’d tried reporting this a couple of weeks ago and was basically given the CSR wall, same tonight it looks like, but I think there’s an issue here. The issue is that the web page version of Amazon Photos gives you a notice you’re logged out of Amazon photos, but you can still access everything. This seems like a pretty decently bad security hole to me, but maybe I’m just paranoid.

Before we jump on the flaw train, my expectation of this is you’ll only be able to do it from a computer that someone used their Amazon Photos account on, I don’t think this is a massive real world security hole, except that person you’re dating who has access to your desktop might sneak over and look at every pic you ever took with four clicks of a mouse. I may be wrong. Hey did you know Amazon Photos has hidden folders? I do now.

So here’s how this works – you go to photos.amazon.com, get a popup telling you you’re no longer signed in and have to log in to continue. Perhaps you rotate your mouse wheel like I did and notice that photos are scrolling by behind the warning that you’re logged out. New photos are loading. This is odd. I scrolled through I think about two months of photos that based on the message that I was logged out shouldn’t have happened. I was obviously still logged in.

If I’m logged out, if I’m being told I have to log back in, there seems like there should be something stopping me from accessing everything. I’m not logged out in any meaningful fashion.

I took a video of being able to access all this stuff to at least see… it’s my personal pictures however, I don’t want my kids faces and glamor shots of Chia Pets all over the internet, so I’m going to post some stills of what happened and then a video of how to do this.

image 6 - for some reason we don't have an alt tag here

Above is a few seconds after I discovered I could scroll through photos with that no longer signed in floaty sitting there.

image 7 - for some reason we don't have an alt tag here

10 seconds of scrolling through family pics…

image 8 - for some reason we don't have an alt tag here

24 seconds or so in. A month back…

OK, so the one thing I noticed at this point was there didn’t ever seem to be anything stopping me… I scrolled and scrolled and Amazon kept serving me the photos up but I couldn’t click them or save them… some security I thought… wonder what happens if I press F12

image 9 - for some reason we don't have an alt tag here

Using my massive knowledge of the F12 button I got there and saw this … I might have had to hit inspect element or something by right click hacker skills, but who knows… it’s 1:27am at this point. I recorded a video below without much scrolling because I’ve got my kids pictures in there and some creepy people out there. Entire method to remove and regain access shown below.

You can also just right click the popup, choose inspect on the “sign in” button, find the bit of text that says <div class=”dialog-overlay” name=”unauth-dialog”> right click that and choose “hide element” and bam. You’re in. I went back several years on this and photos I have not possibly cached locally are accessible in full quality.

Posting video on YouTube as well since Vimeo doesn’t show up for some reason

I don’t know… if I’m trusting Amazon with my photos I’d like to be assured there’s more stopping someone from getting to them on a computer I might have signed in on a long time ago… and maybe there is. Maybe there’s something I’m missing here, but if I trust that Amazon Photos is going to log out (based on what it’s saying on the screen, that I am logged out,) and not be accessible by anyone who has physical access to my computer… I’d just like that message that it’s signed out to be that, and not allow complete access to everything.

So yeah, if you’re signed out – right click the “sign in” button, inspect, look at the text six or seven up, right click that, hide element, profit.

What it looks like to my eyes at nearly 2am is that the sign in button target directs the browser to a page that actually signs you out, and then attempts to log you back in.

I highly suspect if you’re in an abusive relationship there’s a good chance this will be used somehow.

I can go in and search people, share photos, looks like add someone as a family member, access hidden items. Oh yeah, your vengeful roommate isn’t going to potentially be looking through that are they?