Security News > 2020 > August > Amazon Alexa ‘One-Click’ Attack Can Divulge Personal Data
UPDATE. Vulnerabilities in Amazon's Alexa virtual assistant platform could allow attackers to access users' personal information, like home addresses - simply by persuading them to click on a malicious link.
Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting flaw and cross-origin resource sharing misconfiguration.
In a real-world attack, a bad actor would first convince an Alexa user to click on a malicious link, which then directs them to Amazon where the attacker has code-injection capabilities.
More seriously, researchers speculate that attackers could also access a user's voice history with Alexa and get their personal information - including their banking data history, usernames, phone numbers and home address.
In 2018 a proof-of-concept Amazon Echo Skill showed how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices - and automatically transcribe every word said.
News URL
https://threatpost.com/amazon-alexa-one-click-attack-can-divulge-personal-data/158297/