Security News > 2020 > August > Amazon Alexa Vulnerabilities Could Have Exposed User Data
The attacks involved a Cross-Origin Resource Sharing misconfiguration and Cross Site Scripting bugs identified on Amazon and Alexa subdomains, which eventually allowed the researchers to perform various actions on behalf of legitimate users.
Successful exploitation of these vulnerabilities could allow an attacker to retrieve the personal information of an Alexa user, as well as their voice history with their Alexa, but also to install applications on the user's behalf, list installed skills, or remove them.
The attacker can use the same invocation phrase to install a skill, which results in the user triggering the attacker skill instead of the original one.
The security researchers note that, while Amazon does not record banking login credentials, the attacker can access users' interaction with the banking skill and grab their data history.
"Security in IoT devices such as the Amazon Echo and associated Alexa voice assistant service is an important issue," Matt Aldridge, Principal Solutions Architect, Webroot, said in an emailed comment.