Check Point researchers identified a gaping hole in Alexa, Amazon’s voice
assistant platform, that could leak a variety of personal data.
The report should make marketers and developers who create skills for voice assistants aware of the vulnerability that could
tarnish brands' reputation.
Data estimates that Amazon will have sold more than 200
million Alexa devices by the end of 2019.
The findings show that certain Amazon and Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site
Scripting.
What does this mean? All sorts of personal data is available to hackers who want to abuse the platform. All it would take is one click on an Amazon link that has been specially
crafted by the attacker.
advertisement
advertisement
Vulnerabilities would have allowed an attacker to:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all installed
skills on the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with their Alexa
- Get the victim’s personal
information
Using the XSS, a DOM-based cross-site scripting, researchers were able to get the CSRF token and perform actions on behalf of the victims.
Earlier this year, a
similar bug was found in Google Voice browser.
While Amazon does not record
banking login credentials, it does record interactions.
The hacker also would have gained access to the chat history to learn the interactions with the bank skill and get their data
history.
Usernames and phone numbers, depending on the skills installed on the user’s Alexa account, were also available.