On 28th June 2022, Checkmarx has reported that Amazon Inc’s Amazon Photos Android app has a high-severity broken authentication vulnerability affecting user who have downloaded. This malicious app steals the users Amazon access token. Currently, 50 million has downloaded this app on the Google Play Store.

As mentioned in the report, the vulnerability is due to a misconfiguration of an app component which has resulted in its manifest file being externally accessible without authentication. This has allowed attackers to steal the user’s Amazon access token. This token is used authenticate the users across multiple Amazon APIs (application programming interfaces). These APIs contain personal identity information like names, emails, and addresses, others like the Amazon Drive API

When Checkmarx researchers reported this vulnerability to Amazon on November 2021. On December 2021,  Amazon informed they resolved the issue by a security update. Currently they is no evidence that this has expose sensitive customer information as mentioned by Checkmarx.

Source
https://checkmarx.com/resources/checkmarx-blog/amazon-confirmed-and-fixed-a-high-severity-vulnerability-of-broken-authentication-in-amazon-photos-android-app