Security researchers at Check Point have discovered the Amazon Alexa assistant can be hacked to make it hand over sensitive data including voice recordings due to flaws within the services subdomains.
The researchers explained that these critical issues could occur because the services subdomains are prone to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks.
If exposed, a hacker would have the ability to:
These vulnerabilities would have allowed an attacker to:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all installed skills on the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with their Alexa
- Get the victim’s personal information
Check Point state that “these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.”
