A recent cybersecurity report reveals the stunning vulnerabilities of the Amazon Alexa smart virtual assistant hardware.
According to Check Point Research, these Amazon Alexa vulnerabilities are extremely easy to exploit. The firm added that malicious users could trick the hardware into giving out sensitive user data. These vulnerabilities can be exploited using various hacking techniques.
Check Point Research reports on Thursday that the vulnerabilities render the Amazon Alexa a prime target to multiple attacks. Among which are Cross-Origin Resource Sharing (CORS) and cross-site scripting (XSS). The cybersecurity firm said that the vulnerabilities come from Amazon’s unpatched subdomains.
The firm adds that while testing the Alexa mobile app, they discovered an SSL protocol that hinders traffic checks. However, security experts were able to bypass the script using the Frida SSL unpinning script. This is an extremely critical risk, which can be bypassed using simple tricks.
Check Point researchers demonstrate how hackers could remove and install skills on a victim’s Alexa @amazon account via subdomains. Read Turning @Alexa99 bad: @_CPResearch_ finds #vulnerabilities. https://t.co/6U3h96W3zg pic.twitter.com/M63K5i4ykc
— Check Point Software (@CheckPointSW) August 13, 2020
Once the bypass is successful, the security experts were able to investigate the guts of the mobile app. They noticed that the app’s CORS policy was misconfigured. This simple misconfiguration allows Ajax requests to be sent directly from Amazon subdomains.
Once a particular subdomain is vulnerable, the security experts can launch an XSS attack. According to reports, these subdomains are skillsstore.amazon.com and track.amazon.com.
What is even more terrifying is how these vulnerabilities can be easily triggered. According to Check Point, users need only to click a malicious link to trigger the vulnerability. Once the payload is delivered, hackers can access user data and cookies related to Amazon products and services.
What data are vulnerable?
According to Check Point, their test revealed that data such as phone numbers, address, and banking information are at risk. Although these data are at risk, they are not exposed to hackers.
In a statement, Check Point says:
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history.”
It is also important to note that Amazon does not redact banking information in user chat logs and browsing histories. To back up their recent discovery, Check Point has provided a proof-of-concept code from their research.
Since these are considered as critical vulnerabilities, Check Point informed Amazon about this in June. This is a common practice in cybersecurity wherein vulnerabilities are shared to the target before the public.
As of this writing, these particular Amazon Alexa vulnerabilities have been completely patched by the company.
Featured image courtesy of Zapp2Photo/Shutterstock