INTRO: Researchers at the cyber-security firm, Check Point, have detailed multiple critical vulnerabilities in Amazon’s Alexa voice assistant, making it highly vulnerable to hacking. In a report published today, the researchers said that certain Amazon/Alexa subdomains were susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting. “Using the XSS we were ready to get the CSRF token and perform actions on the victim’s behalf”, they said in a politician blog post.
According to the researchers, the vulnerabilities could have allowed attackers to silently install or delete Alexa’s skills’ on a user’s Alexa account without consent. Hackers could have also accessed an inventory of all installed skills on any compromised Alexa account, they said. What’s even more worrying is that the flaws allowed attackers to gain access to a user’s voice history and personal information.
“In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill”, said the researchers. To successfully forced entry into other people’s Alexa accounts, hackers just needed to urge unsuspecting users to click on a specially-crafted Amazon link. The researchers also said that they might access the phone numbers, home addresses, usernames, and banking data of the many users by deploying their proof-of-concept code.
Check Point disclosed the findings to Amazon in June, and thankfully, the e-commerce giant has since patched the vulnerabilities. “We conducted this research to spotlight how securing these devices is critical to maintaining users’ privacy”, said Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research. “Thankfully, Amazon responded quickly to our disclosure to shut off these vulnerabilities on certain Amazon/Alexa subdomains”, he said.
Featured Image Courtesy: Check Point