Experts of the company Check Point have discovered a number of vulnerabilities in Amazon, Alexa, using which attackers could change skills (skills) Alexa, to access users ‘ personal information, voice records, history and accounts at Amazon.
Problems are contained in the subdomain, use Amazon and Alexa. Note that the vulnerabilities affect the Amazon servers, but do not relate to Amazon Echo and other devices that support Alexa.
Researchers have described several ways to implement the attack. One of them involves the creation of malicious pages on domains Amazon.com or Alexa.com and dissemination of the data links page. Using these pages, an attacker could intercept the authorization token to access accounts of the victim, and then to replace the official app Alexa malicious version, which starts when a user access the voice assistant.
Thus the attacker will have the opportunity to carry out a variety of malicious activities, for example, to obtain access to personal data (banking history, name, phone number, home address, etc.), listen to voice history of interaction with Alexa, Alexa invisibly set skills (application), to view or delete them.
“the Attack requires only a single click on a malicious link, generated and sent to the attacker, and voice interaction,” warned the researchers.
Experts have informed Amazon about the found problems, vulnerabilities have already been fixed.