Researchers have found numerous security vulnerabilities affecting the home assistant Amazon Alexa. Exploiting the vulnerabilities could leak sensitive details of the users to hackers.
Amazon Alexa Vulnerabilities
Check Point Research security team has shared details about their recent discovery of vulnerabilities in Amazon Alexa.
Elaborating on the findings in a blog post, they revealed that they discovered two different vulnerabilities in Amazon Alexa. These include cross-origin resource sharing (CORS) misconfiguration and cross-site scripting (XSS). Further, the XSS flaw could lead to CSRF.
Briefly, exploiting these vulnerabilities could lead to devastating results. Since Alexa holds lots of information about the users, an attacker could easily access all the sensitive data by exploiting the flaws. Also, such an attack could allow an attacker to meddle with the skills, that includes even deleting or installing skills.
As demonstrated, the attacker merely required exploiting the XSS in one of Amazon’s subdomains. Hence, the researchers performed the attack via track.amazon.com and skillsstore.amazon.com.
For a successful attack, an attacker could simply trick the user to click on a malicious link. The link would then redirect the user to an Amazon subdomain already infected with malicious code.
Then, sending AJAX request with cookies to reach the Amazon Alexa skills page would then allow grabbing the CSRF token. From then on, an attacker could meddle with the skillset to conduct malicious activities, including stealing data and voice history.
Researchers have shared the details of the exploit in this video.
Amazon Patched The Bugs
Following the discovery, the researchers informed Amazon about the flaws. In turn, Amazon patched the bugs.
Nonetheless, this discovery has once again raised questions about the security of IoT devices. From securing WiFi networks to fixing bugs, IoT needs special attention from both the vendors as well as the customers to apply best practices that minimize potential exploitation.
Let us know your thoughts in the comments.