Amazon Alexa, the voice assistant of the e-commerce giant, is the victim of a critical security flaw. According to computer security researchers at CheckPoint Research, this vulnerability would allow a hacker to access the history of voice exchanges as well as the user’s personal data.
Credits: Wikipedia
Alexa, Amazon’s voice assistant, is the victim of a critical security breach. CheckPoint Research’s computer security researchers issued a statement on Thursday (August 13th) in which they claim to have“identified vulnerabilities in certain Amazon/Alexa sub-domains that could allow a hacker to remove/install skills on the victim’s Alexa account.”
These vulnerabilities would allow a hackerto “access the target’s voice exchange history and personal data,” such as bank details, phone numbers or mailing address. The researchers point out that Amazon does not register your bank credentials, but that a hacker can still“access the victim’s interactions with his banking services and obtain the history of his data.”
Related: Amazon Alexa now allows You to Make Skype Calls
An easily exploitable flaw
According to CheckPoint Research, the operation of this flaw is quite simple. To enter the system, the victim must have to click on a malicious link contained in a fake Email from Amazon. This link then redirects the target to a page containing malicious code. All the hacker has to do is send a special request to Alexa’s skill store by posing as the legitimate user.
Once in the square, the attacker can start deleting or installing additional skills,or access the various personal data mentioned above. As a reminder, a skill is nothing more or less than a voice application added to Alexa’s default features.
Related: Amazon Ring – hacker hacks camera, spies on family and terrorizes girl
No casualties to be mourned according to Amazon
“Connectedspeakers and virtual assistants are so common that it’s easy to overlook the amount of personal data they hold and their role in controlling other smart devices in our homes. Hackers see them as entry points into people’s lives, to access data, listen to conversations or perform other malicious actions without the knowledge of their owner,” says Oded Vanunu, Head of Product Vulnerability Research at CheckPoint.
For its part, Amazon was notified of the problem and quickly fixed the flaw,ensuring that they were not awareof “any cases of use of this vulnerability against our customers or exposure of customer information”. As a reminder, in 2018 Alexa had recorded and shared the conversations of a couple without their knowledge.
Source: Android Authority