Newly patched Alexa exploit could have leaked user banking data

13 Aug 2020

Image: © Anthony Brown/Stock.adobe.com

A vulnerability in Amazon’s Alexa smart assistant could have allowed hackers to exploit a user’s voice history and personal data.

Cybersecurity researchers from Check Point Research have documented an exploit in Amazon’s Alexa that could have led to serious breaches of user data had it not been patched. Used in many of the e-commerce giant’s devices such as the Echo and Echo Dot, Alexa is the smart assistant that users interact with to order goods online, play music or to hear the latest headlines.

According to this recent discovery, certain Amazon and Alexa subdomains were vulnerable to ‘cross-origin resource sharing’ (CORS) misconfiguration and cross-site scripting. The vulnerability was reported to Amazon in June and has since been patched.

This could have allowed anyone with the right knowledge to secretly install or remove skills (an app or capability) on a user’s Alexa account, listen to their voice history or access personal information. All that would have been required for the exploit to work was for the user to click on a fake Amazon link created by hackers in a phishing attempt.

“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,” said Check Point’s head of products vulnerabilities research, Oded Vanunu.

“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”

A quick response

In testing, the Check Point team came across a mechanism that would prevent anyone from inspecting user commands or information. However, a common script could have been used to bypass this security measure and view user information in clear text.

The researchers claimed that a misconfigured CORS policy could have allowed attackers with code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain. By launching a cross-site scripting attack, the researchers were able to install or remove Alexa skills and “trigger an attacker skill”.

If the victim should unknowingly trigger this installation, it could be possible for a hacker to download voice history records and personal information. This could have lead to exposure of personal information, such as banking data history and home addresses that were given to the device by the user.

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” Vanunu added.

“Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy.”

In a statement to ZDNet, Amazon said: “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems.

“We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com