• by Laurie Sullivan  @lauriesullivan, August 14, 2020

Check Point researchers identified a gaping hole in Alexa, Amazon’s voice assistant platform, that could leak a variety of personal data.

The report should make marketers and developers who create skills for voice assistants aware of the vulnerability that could tarnish brands' reputation.

Data estimates that Amazon will have sold more than 200 million Alexa devices by the end of 2019.

The findings show that certain Amazon and Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting.

What does this mean? All sorts of personal data is available to hackers who want to abuse the platform. All it would take is one click on an Amazon link that has been specially crafted by the attacker.

Vulnerabilities would have allowed an attacker to:

• Silently install skills (apps) on a user’s Alexa account
• Get a list of all installed skills on the user’s Alexa account
• Silently remove an installed skill
• Get the victim’s voice history with their Alexa
• Get the victim’s personal information

Using the XSS, a DOM-based cross-site scripting, researchers were able to get the CSRF token and perform actions on behalf of the victims.

Earlier this year, a similar bug was found in Google Voice browser.

While Amazon does not record banking login credentials, it does record interactions.

The hacker also would have gained access to the chat history to learn the interactions with the bank skill and get their data history.

Usernames and phone numbers, depending on the skills installed on the user’s Alexa account, were also available.