silversurfer

Level 65
Verified
Trusted
Content Creator
Malware Hunter
Vulnerabilities in Amazon’s Alexa virtual assistant platform could allow attackers to access users’ banking data history or home addresses – simply by persuading them to click on a malicious link.

Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration. An attacker could remotely exploit these vulnerabilities by sending a victim a specially crafted Amazon link.

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” said Oded Vanunu, head of products vulnerabilities research at Check Point, in research published Thursday. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”

Researchers disclosed their research findings to Amazon in June 2020. Amazon fixed the security issues, and researchers publicly disclosed the flaws on Thursday. Threatpost has reached out to Amazon for further comment.
Full report below by researchers:
 
Last edited:

show-Zi

Level 26
Verified
This may be my bias, but many IoT adopters tend to be more interested in what looks useful, so I think it's relatively easy to lead to malicious links. In other words, I suspect that at this point in time their focus is more on curiosity than security.

In such a case, is it impossible to take measures such as issuing a warning from the Alexa side?
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
This may be my bias, but many IoT adopters tend to be more interested in what looks useful, so I think it's relatively easy to lead to malicious links. In other words, I suspect that at this point in time their focus is more on curiosity than security.

In such a case, is it impossible to take measures such as issuing a warning from the Alexa side?
Nope, absolutely not impossible! Poor and weak excuses was for example used when the RING scandal was a fact. Another Amazon product btw. The developers can and should be enforced by law to have better protections installed, by default and not after another new scandal/hack etc.
 

CyberTech

Level 32
Verified
Editor's take: Amazon has patched a serious flaw on its Alexa platform that allowed attackers to grab every bit of information from your Alexa device and Amazon account. This is a reminder that smart assistant devices are as vulnerable as they are convenient, and you, the user, should lock down your interactions with them to make them more secure.

Amazon has sold an estimated 200 million Alexa-powered devices over the last five years, most of which are Echo smart speakers that can aid in some aspects of your digital life. The company is often selling them below cost, so this number is only likely to increase.

There's a lot to be said about the "convenience" these Alexa-powered speakers can afford, depending on who you ask, but it certainly does come at a cost of privacy and security. For instance, Amazon pays humans reviewers to listen to snippets of your voice recordings to improve the artificial intelligence behind Alexa, and even if you opt out there's no guarantee that existing transcripts will get deleted.

Update: Amazon does insist it will delete any transcript from their records once you delete the interactions from Alexa (more on that below) -- this surely comes from tightening their privacy policies and government scrutiny.
 

Cortex

Level 23
Verified
Update: Amazon does insist it will delete any transcript from their records once you delete the interactions from Alexa (more on that below) -- this surely comes from tightening their privacy policies and government scrutiny.

That's jolly decent of them (slap on amazon's back) though I thought they already did that, all good reasons to disable Alexa as I already do, assuming it gets disabled?
 
Top