Researchers from Check Point discovered several web application flaws on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration.
The smart assistant web-connected devices of Amazon Alexa, vulnerable to attackers striving for user personally identifiable information (PII) and voice recordings.
Researchers from Check Point discovered several web application flaws on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration.
An attacker could remotely exploit these vulnerabilities by sending a specially crafted Amazon link to the victim.
Check Point Researchers examined the mobile application app and found that after using Frida SSL universal unpinning script to avoid the SSL pinning mechanism implemented for preventing the traffic inspection. They were able to view traffic transmitted between the app and the Echo device in cleartext.
When the user clicks the malicious message link sent by the attacker, it directs them to an Amazon site to exploit the vulnerabilities.
A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies.
An attacker could carry out a more elaborate attack by sending an Ajax request to the Amazon skill store. The request would send back a list of all skills installed in the victim's Amazon Alexa account and replace one of their abilities with a similar-looking malicious ability.
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim's interaction with the bank skill and get their data history," the team says. "We can also get usernames and phone numbers, depending on the skills installed on the user's Alexa account."
Check Point spokesperson Ekram Ahmed issued some safety guidelines on Alexa use,
- Avoid unfamiliar apps and don't install it on smart speakers.
- Be careful with the sensitive information you share with your smart speakers, such as bank accounts and passwords.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us. We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed, ” said the company spokesperson.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?