Researchers at security firm Check Point on Thursday reported that they had found a critical flaw in Amazon Alexa that could have exposed the voice history of more than 200 million of its users to hackers.
According to a report by Check Point, they found “certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.”
These vulnerabilities would have allowed an attacker to:
In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history, and acquire personal information through skill interaction when the user invokes the installed skill.
Alexa users could have been made easy prey for the vulnerability, as the hack “required just one click on an Amazon link” intentionally crafted and sent by the attacker, the report says.
The hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user. Once the user clicks on the malicious link, the hacker would get the ability to view the entire skill list, install and remove skills on a user’s Alexa account, and gain access to the victim’s voice h ..
Support the originator by clicking the read the rest link below.
