Home / NewTech / Amazon Alexa can be hacked with an Amazon link with one click

Amazon Alexa can be hacked with an Amazon link with one click

Amazon is both famous and notorious for making it extremely easy to buy things with just one click, even if you use a “1-click” button to do just that. However, it seems just as easy to compromise one of Amazon’s most popular products. The AI-powered Alexa personal assistant can be found in so many smart speakers and smart home products that a hacker only needs a well-crafted, innocent-looking link to take control of an Alexa device and its associated owner information gain .

Smart assistants have always brought some level of privacy and security risks with them as they almost always communicate with a remote server to work their magic. Even when it comes to voice recognition on the device, it almost requires getting information and controlling other devices to communicate over the internet. This is even more true when the user wants to install a new app or skill. This is where this Alexa vulnerability starts.

Check Point Research announces that Amazon̵

7;s Alexa-related subdomains are particularly vulnerable to Cross-Origin Resource Sharing (CORS) and Cross-Site Scripting (XSS). In short, it means that hackers can extract some vital information like tokens and IDs when Amazon’s subdomains communicate with each other to perform certain tasks.

The researchers’ example was to click on a malicious link disguised as an Alexa skill installer. All the ignorant user has to do is click this link and a series of communications between remote servers will provide data that can be used by a hacker to insert code into Amazon’s Alexa Skill Store and gain access to a user’s account. From there, the intruder can install or remove Alexa skills and even get the victim’s personal information.

Unfortunately, the post doesn’t mention whether Amazon has already fixed these vulnerabilities. With smart assistants and smart speakers becoming more prevalent, it is important that every step of the data processing flow is as secure as possible.

Source link