Alexa, were you hacked? Security experts find major vulnerabilities in Amazon device that let cybercriminals steal personal data and delete commands and apps
- Security experts uncovered a bug in Amazon's Alexa personal assistant
- It allows hackers to take control of the device by adding apps and commands
- Hackers can also gather the victim's personal data and voice history
More than 200 million Amazon Alexa devices were at risk of cyber attacks due to a bug found lurking in the smart assistant.
Security researchers found a vulnerability that lets cybercriminals obtain voice history data, along with deleting and installing commands and apps.
The team discovered a misconfiguration in the system the permitted them to perform actions on the victim's behalf and view personal information.
Amazon has since rolled out a patch after the issue was reported to the tech giant and notes it is not aware of any incidents related to the bug.
Scroll down for videos
More than 200 million Amazon Alexa devices were at risk of cyber attacks due to a bug found lurking in the smart assistant. Security researchers found a vulnerability that lets cybercriminals obtain voice history data, along with deleting and installing commands and apps
The issues was uncovered by the cybersecurity firm Check Point, which found 'certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting,' reads the report.
'Using the XSS we were able to get the CSRF token and perform actions on the victim's behalf.'
Share this article
The vulnerability permitted hackers to install and delete skills, along with obtain personal information of the user.
One approach can be done through a legitimate-looking like on a site used to track Amazon packages.
The issues was uncovered by the cybersecurity firm Check Point , which found 'certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting,' reads the report
Users type in their information and the malware hidden in the site opens the door to the device.
The attack required a single click by the user on a malicious link crafted by the hacker and voice interaction by the victim.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, said: 'Smart speakers and virtual assistants are so commonplace that it's easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes.'
'But hackers see them as entry points into peoples' lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.'
After uncovering the vulnerability, Check Point notified Amazon, which has since rolled out an update to patch it.
'The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,' said an Amazon spokesperson in a statement.
'We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.'
Fossilised eye of a tiny ancient sea creature that lived 429 million years ago is 'almost identical' to that of a modern bee, study finds
