Check Point has published details of several vulnerabilities in Amazon’s digital voice assistant Alexa. Among other things, they made it possible to steal personal data and voice recordings. Attacks were therefore possible via Alexa subdomains, which were susceptible to cross-origin resource sharing (CORS) and cross-site scripting.
When analyzing the Alexa mobile app, the researchers found an SSL mechanism that should prevent traffic inspection. However, this function could be bypassed with the Frida SSL script. In turn, the researchers came across a misconfigured CORS policy that allowed Ajax requests to be sent-Sending subdomains that were susceptible to cross-site scripting.
All an attacker had to do was trick a victim into clicking a specially crafted link to exploit the vulnerabilities. The linked website – a subdomain of Amazon.com – then smuggled in code, allowing Amazon cookies to be stolen.
The researchers, in turn, used the cookies for Ajax queries to the Amazon Skill Store. These requests provided a list of the Alexa Skills installed by the victim.
Hackers were also able to impersonate the victim using Cross Site Request Forgery, for example to remove Alexa skills and replace them with other skills that were controlled by the existing voice commands. It was therefore possible to assign a new action to a voice command without the knowledge of the user.
In their own tests, the researchers had access to telephone numbers, addresses and financial data, among other things. “Amazon doesn’t record your bank login credentials, but your interactions are recorded, and since we had access to the chat history, we were able to access the victim’s interaction with the banking skill and get the data history,” they shared Researcher with. “We were also able to get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”
The researchers submitted their findings to Amazon in June. In the meantime the security problems have been eliminated. Fortunately, Amazon responded quickly to our disclosure to address these vulnerabilities on certain Amazon / Alexa subdomains. We hope that manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could endanger user privacy. “
Meanwhile, Amazon emphasized that the security of its devices had top priority. “We appreciate the work of independent researchers like Check Point, who present us potential problems,” an Amazon spokesman told ZDNet USA. “We fixed this issue shortly after it was brought to our attention and we continue to strengthen our systems. We are not aware of any cases in which this vulnerability was used against our customers or in which customer information was disclosed. “