A vulnerability in Amazon Alexa might have exposed voice commands and install some skills (apps) in it. This vulnerability is reported by Checkpoint research team.
Checkpoint reports that some subdomains of Alexa/Amazon were vulnerable to Cross origin Resource Sharing (CORS) misconfiguration and XSS. Using the XSS vulnerability, the research team were able to get the CSRF token to perform action on behalf of victim.
On successful exploiting of vulnerabilities, an attacker has access to
- Voice History
- Personal Information
- Remove installed skill
- Get list of installed skills on victims Alexa account.
- Install skills on victims Alexa account
The successful exploitation would have required just one click on a specially crafted Amazon link by the attacker.
Proof of concept is available in Check Point blog post.
These vulnerabilities were reported to Amazon in June 2020, and Amazon has fixed this issue.
You can find more related content at our Cyber Security section.
For more related content follow us on Twitter, Telegram, Facebook.