Check Point makes charlies out of Amazon security
Israeli Security outfit Check Point have told Wired that Alexa's Web services had bugs that a hacker could have exploited to grab a target's entire voice history, meaning their recorded audio interactions with Alexa.
Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack.
For an attacker to exploit the vulnerabilities, they would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon's infrastructure. By strategically directing users to track.amazon.com -- a vulnerable page not related to Alexa, but used for tracking Amazon packages -- the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target's cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.
https://fudzilla.com/news/51368-alex...ngs-to-hackers
Alexa, can you send all your recordings to hackers?
19th August 2020, 07:49
Alexa, can you send all your recordings to hackers? 
