Researchers at cyber-security firm, Check Point, have detailed multiple critical vulnerabilities in Amazon’s Alexa voice assistant, making it highly susceptible to hacking. In a report published today, the researchers said that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. “Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf”, they said in an official blog post.
According to the researchers, the vulnerabilities could have allowed attackers to silently install or delete Alexa ‘skills’ on an user’s Alexa account without consent. Hackers could have also accessed a list of all installed skills on any compromised Alexa account, they said. What’s even more worrying is that the flaws allowed attackers to gain access to an user’s voice history and personal information.
“In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill”, said the researchers. To successfully break into other people’s Alexa accounts, hackers just needed to get unsuspecting users to click on a specially-crafted Amazon link. The researchers also said that they could access the phone numbers, home addresses, usernames and banking data of many users by deploying their proof-of-concept code.
Check Point disclosed the findings to Amazon in June, and thankfully, the e-commerce giant has since patched the vulnerabilities. “We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy”, said Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research. “Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains”, he said.
Featured Image Courtesy: Check Point