Amazon Alexa ‘One-Click’ Attack Can Divulge Personal Data

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Vulnerabilities in Amazon’s Alexa virtual assistant platform could allow attackers to access users’ banking data history or home addresses – simply by persuading them to click on a malicious link.

Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration. An attacker could remotely exploit these vulnerabilities by sending a victim a specially crafted Amazon link.

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” said Oded Vanunu, head of products vulnerabilities research at Check Point, in research published Thursday. “Alexa has concerned us for a while now, given its ubiquity and connection to IoT devices. It’s these mega digital platforms that can hurt us the most. Therefore, their security levels are of crucial importance.”

Researchers disclosed their research findings to Amazon in June 2020. Amazon fixed the security issues, and researchers publicly disclosed the flaws on Thursday. Threatpost has reached out to Amazon for further comment.
Full report below by researchers:
 
Last edited:

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
This may be my bias, but many IoT adopters tend to be more interested in what looks useful, so I think it's relatively easy to lead to malicious links. In other words, I suspect that at this point in time their focus is more on curiosity than security.

In such a case, is it impossible to take measures such as issuing a warning from the Alexa side?
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
This may be my bias, but many IoT adopters tend to be more interested in what looks useful, so I think it's relatively easy to lead to malicious links. In other words, I suspect that at this point in time their focus is more on curiosity than security.

In such a case, is it impossible to take measures such as issuing a warning from the Alexa side?
Nope, absolutely not impossible! Poor and weak excuses was for example used when the RING scandal was a fact. Another Amazon product btw. The developers can and should be enforced by law to have better protections installed, by default and not after another new scandal/hack etc.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Editor's take: Amazon has patched a serious flaw on its Alexa platform that allowed attackers to grab every bit of information from your Alexa device and Amazon account. This is a reminder that smart assistant devices are as vulnerable as they are convenient, and you, the user, should lock down your interactions with them to make them more secure.

Amazon has sold an estimated 200 million Alexa-powered devices over the last five years, most of which are Echo smart speakers that can aid in some aspects of your digital life. The company is often selling them below cost, so this number is only likely to increase.

There's a lot to be said about the "convenience" these Alexa-powered speakers can afford, depending on who you ask, but it certainly does come at a cost of privacy and security. For instance, Amazon pays humans reviewers to listen to snippets of your voice recordings to improve the artificial intelligence behind Alexa, and even if you opt out there's no guarantee that existing transcripts will get deleted.

Update: Amazon does insist it will delete any transcript from their records once you delete the interactions from Alexa (more on that below) -- this surely comes from tightening their privacy policies and government scrutiny.
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
Update: Amazon does insist it will delete any transcript from their records once you delete the interactions from Alexa (more on that below) -- this surely comes from tightening their privacy policies and government scrutiny.

That's jolly decent of them (slap on amazon's back) though I thought they already did that, all good reasons to disable Alexa as I already do, assuming it gets disabled?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top