Security News > 2020 > August > Amazon Alexa ‘One-Click’ Attack Can Divulge Personal Data

Amazon Alexa ‘One-Click’ Attack Can Divulge Personal Data
2020-08-13 10:00

UPDATE. Vulnerabilities in Amazon's Alexa virtual assistant platform could allow attackers to access users' personal information, like home addresses - simply by persuading them to click on a malicious link.

Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting flaw and cross-origin resource sharing misconfiguration.

In a real-world attack, a bad actor would first convince an Alexa user to click on a malicious link, which then directs them to Amazon where the attacker has code-injection capabilities.

More seriously, researchers speculate that attackers could also access a user's voice history with Alexa and get their personal information - including their banking data history, usernames, phone numbers and home address.

In 2018 a proof-of-concept Amazon Echo Skill showed how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices - and automatically transcribe every word said.


News URL

https://threatpost.com/amazon-alexa-one-click-attack-can-divulge-personal-data/158297/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Amazon 64 9 60 39 13 121