"We conducted this research to highlight how securing these devices is critical to maintaining users' privacy," commented Oded Vanunu, Check Point's Head of Products Vulnerabilities Research. "Any offending skills that are identified are blocked during certification or quickly deactivated."Ĭheck Point researchers disclosed their findings privately to Amazon in June, and the security issues have now been patched. "It's important to note that Amazon conducts security reviews as part of skill certification, and continually monitors live skills for potentially malicious behavior," the researchers say. TechRepublic: How companies are getting employees to take vacation this summer rather than hoard PTO Skill abuse is an interesting form of attack and a potential way for cyberattackers to enter our homes - although the time window before malicious skills are spotted and removed may be short. However, Alexa does redact banking information speficially in histories and logs.Ĭheck Point also provided proof-of-concept (PoC) code. "We can also get usernames and phone numbers, depending on the skills installed on the user's Alexa account." "Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim's interaction with the bank skill and get their data history," the team says. Should a victim trigger this new skill unwittingly, it may be possible for attackers to access voice history records, as well as abuse skill interactions to harvest personal information.ĬNET: How China uses facial recognition to control human behaviorĭuring tests, Check Point found phone numbers, home addresses, usernames, and banking data history could theoretically be stolen. This could include removing or installing Alexa skills, and by using the CSRF token to remove a skill and then installing a new one with the same evocation phrase, this could "trigger an attacker skill," the team says.
#One click amazon code#
A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies.Īn attacker would then use these cookies to send an Ajax request to the Amazon skill store, of which the request would send back a list of all skills installed in the victim's Amazon Alexa account.īy launching an XSS attack, researchers were also able to acquire CSRF tokens and, therefore, perform actions while masquerading as the victim. If a subdomain was found as vulnerable to code injection, an XSS attack could be launched, and this was performed via and .Īccording to Check Point, it would only take a victim to click on a malicious link to exploit the vulnerabilities. This led to the discovery of the app's misconfiguration of CORS policy, which allowed Ajax requests to be sent from Amazon subdomains. See also: Amazon's Q2: $4 billion spent on COVID-19 and still nets $5.2 billion However, the script used could be bypassed using the Frida SSL universal unpinning script. When Check Point first began examining the Alexa mobile app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot - with over 200 million shipments worldwide - was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings.Ĭheck Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks. Cybersecurity 101: Protect your privacy from hackers, spies, the government.Supply chain attacks are the hacker's new favorite weapon.Does someone else secretly have access to your iPhone or iPad?.This new phishing attack features a weaponized Excel file.Hackers are disguising their malicious JavaScript code with a hard-to-beat trick.