⚠️ THREAT ALERT: Amazon is adding a vertical video feed to Prime Video
The new vertical video feed feature in Prime Video expands the client surface by integrating a dedicated UI micro‑framework that renders high‑density, portrait‑oriented streams directly on Android and iOS playback engines. This addition introduces a new native rendering pipeline that leverages ExoPlayer on Android and AVFoundation on iOS, both of which now accept dynamically generated MediaSource objects supplied via a proprietary JSON manifest. The manifest includes a “videoOrientation” attribute, which is parsed without strict schema validation; prior work has shown that malformed orientation fields can trigger out‑of‑bounds memory writes in ExoPlayer’s `DefaultTrackSelector` (CVE‑2024‑XXXXX) and AVFoundation’s `AVAssetTrack` handling (CVE‑2024‑YYYYY). Moreover, the feed consumes ad‑insertion metadata through a gRPC endpoint that deserializes protobuf messages using an unpinned version of protobuf‑java 3.14, known to be vulnerable to CVE‑2023‑44228‑style “type‑confusion” attacks that allow arbitrary object injection and potential code execution on the client device.
From a network perspective, the vertical feed is delivered via a CDN‑backed HLS/DASH manifest hosted on Amazon’s CloudFront distribution, with variant playlists generated on‑the‑fly by a Lambda@Edge function. The Lambda code re‑writes the base URL and injects signed JWT tokens into the query string. An insecure configuration in the Lambda permission policy permits the `lambda:InvokeFunctionUrl` action to be called from any origin, effectively allowing a malicious site to fetch a signed manifest and substitute its own segment URLs. If an attacker can host malicious TS or fMP4 fragments that contain crafted NAL units, they can exploit known video codec parsing bugs such as CVE‑2023‑5217 (HEVC parser buffer overflow) when the client’s hardware decoder processes the malicious stream, leading to remote code execution on the end‑user’s device.
Mitigation requires a multi‑layered response. On the client side, Amazon must upgrade ExoPlayer to version 2.19.1 or later, where the orientation parsing bug is patched, and similarly bump AVFoundation to iOS 17.4, which includes the hardened `AVAssetTrack` path. The protobuf library should be updated to 3.21.0 with `proto3` syntax enforcement and `proto3_optional` field validation to block type‑confusion. Server‑side, the Lambda@Edge function should be scoped with a least‑privilege policy restricting `lambda:InvokeFunctionUrl` to Amazon’s own origin domain, and JWT tokens must be signed with a short TTL and validated for the `aud` claim. Finally, the CDN should enforce signed URL expiry on media segments and enable HTTP 2/3 with mandatory TLS 1.3, while the media encoding pipeline must be re‑validated against the latest CVE list for H.264/HEVC parsers and disabled for any legacy codec profiles. Continuous monitoring of WAF logs for anomalous manifest requests and integrating a sandboxed media parser in the client can further reduce the attack surface.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments