The researchers from Check Point discovered critical security flaws in Amazon’s Alexa virtual assistant platform that could allow threat actors to obtain users’ personal information or spy on user activities remotely by tricking them into clicking a malicious link. They found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration.
“These exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill,” researchers said.
The vulnerabilities would allow attackers to perform malicious activities like:
- Stealthily install skills (apps) on a user’s Alexa account
- Get a list of all installed skills on the user Alexa account
- Remove an installed skill without the user’s knowledge
- Get the victim’s voice history with their Alexa
- Get the victim’s personal information
One-Click Alexa Attack
- The user clicks on a malicious link that directs them to amazon.com where the attacker has code-injection capability.
- The attacker sends a new Ajax request with the user’s cookies to amazon.com/app/secure/your-skills-page and gets a list of all installed skills on the Alexa account and the CSRF token in the response.
- The attacker uses the CSRF token to remove one common skill form the list we received in the previous step.
- Then, the attacker installs a skill with the same invocation phrase as the deleted skill.
- Once the user tries to use the invocation phrase, they will trigger the attacker skill.
Successful exploitation of vulnerabilities would have required the victim to just click on the Amazon link specially crafted by the threat actor. However, Amazon patched all the vulnerabilities after Check Point researchers disclosed their findings to the company.
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history. We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account,” researchers added.
Virtual assistants are used to control IoT devices like lights, A/C, entertainment, and other connected devices in a smart home. The proliferation of connected devices in consumer, enterprise, and healthcare organizations, and their internal vulnerabilities, have created a security blind spot for cybercriminals. With basic security measures and regular updates, connected devices can be secured against any intrusions.