IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Alexa flaws may have let hackers steal voice history

Certain Amazon and Alexa subdomains were vulnerable to cross-origin resource sharing and cross-site scripting attacks

Some Amazon and Alexa subdomains were vulnerable to attack, meaning hackers could have accessed users' voice history on Alexa devices, install third-party apps, and access personal information. 

By exploiting cross-origin resource sharing (CORS) misconfiguration, as well as cross-site scripting (XSS) to get a unique CSRF token, hackers were able to perform actions on Alexa devices on a victims’ behalf. 

These flaws, which were reported in June and subsequently fixed, could have allowed an attacker to install third-party apps (or skills), get a list of installed apps, remove an installed app, get a victim’s voice history, and access their personal information.

When testing with the Alexa mobile application, researchers with Check Point Research noticed an SSL pinning mechanism which prevented them from inspecting traffic. This was bypassed using a universal unpinning script, with researchers viewing traffic in plain text. 

“While looking at the traffic of the application, we found that several requests made by the app had misconfigured the CORS policy, ultimately allowing the sending of Ajax requests from any other Amazon sub-domain,” said security researchers Dikla Barda, Roman Zaikin and Yaara Shriki.

“This could potentially have allowed attackers with code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain.”

One of the requests returned a list of all installed skills on the Alexa device, and also returned the CSRF token. This token was then used to perform actions, such as installing and enabling new skills remotely. 

Related Resource

Communicating with your customers

The evolution of conversational AI

Download now

The researchers needed to exploit the XSS vulnerability in one of Amazon’s sub-domains for the attack to succeed and use the victim’s identification cookies. From there, they could exploit the CSRF attack and CORS misconfiguration, and perform actions on behalf of the victim on their Alexa account.  

Alarmingly, the attack could’ve been conducted using a single malicious link that would direct a victim to the Amazon website, where the attacker had code-injection capabilities. From there, they could conduct various actions including stealing voice history and personal data

“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," an Amazon spokesperson said.

"We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Amazon signs launch deals with Arianespace, Blue Origin and United Launch Alliance for Project Kuiper
broadband

Amazon signs launch deals with Arianespace, Blue Origin and United Launch Alliance for Project Kuiper

6 Apr 2022
AWS to invest £1.8bn in UK data centres and other cloud infrastructure
Cloud

AWS to invest £1.8bn in UK data centres and other cloud infrastructure

18 Mar 2022
AWS launches carbon tracking tool for its cloud customers
cloud computing

AWS launches carbon tracking tool for its cloud customers

2 Mar 2022
How to think like a Digital CFO
Whitepaper

How to think like a Digital CFO

13 Jan 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022