In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering

guest · Aug 13, 2020

In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering
Subdomains belonging to the service were found to be harboring CORS errors and vulnerable to XSS attacks
August 13, 2020
https://www.zdnet.com/article/in-on...r-theft-of-voice-history-pii-skill-tampering/

Amazon's Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service's subdomains.

Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks.
When Check Point first began examining the Alexa mobile app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be bypassed using the Frida SSL universal unpinning script.
Click to expand...

By launching an XSS attack, researchers were also able to acquire CSRF tokens and, therefore, perform actions while masquerading as the victim.
Check Point also provided proof-of-concept (PoC) code.

Skill abuse is an interesting form of attack and a potential way for cyberattackers to enter our homes -- although the time window before malicious skills are spotted and removed may be short.
Click to expand...

Check Point Research: Keeping the gate locked on your IoT devices: Vulnerabilities found on Amazon’s Alexa

At the end of 2020, it was reported that over 200 million Alexa-powered devices had been sold by the end of the year.

As virtual assistants today serve as entry points to people’s homes appliances and device controllers, securing these points has become critical, with maintaining the user’s privacy being top priority. This was our “entry point” and central motivation while conducting this research.
Click to expand...

These vulnerabilities would have allowed an attacker to:

Silently install skills (apps) on a user’s Alexa account

Get a list of all installed skills on the user’s Alexa account

Silently remove an installed skill

Get the victim’s voice history with their Alexa

Get the victim’s personal information

Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.
Click to expand...

Log in or Sign up

In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering

guest Guest

Log in or Sign up

In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering

guest Guest

Useful Searches