Amazon Alexa flaw that could expose personal information and speech histories found
By Sambit Satpathy · Aug 13, 2020
By Sambit Satpathy · Aug 13, 2020
[SHOWTOGROUPS=4,20,22]
Security researchers Для просмотра ссылки Войдиили Зарегистрируйся an exploit in Amazon’s Alexa voice platform. When exploited, Check Point Research says that the flaw could have given attackers access to users’ personal information. These include users’ Amazon account details as well as speech histories.
The researchers identified the vulnerability while conducting tests with the Alexa smartphone app. They used a script to bypass the mechanism implemented for protecting the app's traffic, which allowed them to view it in clear text. They found that several requests made by the app had a misconfigured policy, which could be potentially bypassed to send requests from a domain controlled by a malicious party.
In the real world, a bad actor would have been able to convince an unsuspecting user to click on a malicious link to Amazon that actually holds code-injection capabilities. Once clicked, the attacker would be able to get hold of the users’ list of apps and skills installed on Alexa. They would also be able to remotely install and enable new skills for the victim. More serious attackers could also get hold of users’ speech histories as well as personal information from their Alexa account.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point is quoted as saying in a press release:
[/SHOWTOGROUPS]
Security researchers Для просмотра ссылки Войди
The researchers identified the vulnerability while conducting tests with the Alexa smartphone app. They used a script to bypass the mechanism implemented for protecting the app's traffic, which allowed them to view it in clear text. They found that several requests made by the app had a misconfigured policy, which could be potentially bypassed to send requests from a domain controlled by a malicious party.
In the real world, a bad actor would have been able to convince an unsuspecting user to click on a malicious link to Amazon that actually holds code-injection capabilities. Once clicked, the attacker would be able to get hold of the users’ list of apps and skills installed on Alexa. They would also be able to remotely install and enable new skills for the victim. More serious attackers could also get hold of users’ speech histories as well as personal information from their Alexa account.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point is quoted as saying in a press release:
Vanunu adds that the research firm highlighted the flaw to Amazon back in June, and it responded by fixing it. “We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy. Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains,” he said.
[/SHOWTOGROUPS]
