In June this year, researchers from Check Point descubierto a number of dangerous vulnerabilities that opened for attacks the Amazon Alexa virtual assistant and its users.
The problem was in CORS and XSS bugs, which affected several Amazon subdomains, and in configuration issues.
By exploiting these bugs, attackers could gain access to personal data (nombres de usuario, números de teléfono, domicilios, voice history) and perform various actions on behalf of victims (Por ejemplo, delete and install Alexa skills).
“It took just one click on a link, specially created by an attacker, to successfully exploit [the problems]", — escriben los investigadores.
For successful attack, the attacker needed only to create a malicious link that would direct the user to amazon.com and send it to the victim (by somehow forcing the user to click on it).
The researchers suggested using the vulnerable track.amazon.com for these purposes – this page is not associated with Alexa, but is used to track parcels from Amazon, and previously it could have been injected with malicious code.
Próximo, the attacker sent an Ajax-request with the user’s cookies received to amazon.com/app/secure/your-skills-page, which allowed him to get a list of the skills installed for this Alexa account.
The response to such a request also contained a CSRF token, which an attacker could use to remove one skill from the list. The attacker could then install his own malicious Alexa skill on the device in the same way. Replacing a remote skill with his own opened up many opportunities for the criminal, depending on the skills installed on the user’s device.
Por ejemplo, it was possible to access the victim’s voice history, and then usernames, números de teléfono, domicilios, datos bancarios (Alexa does not record banking login credentials, but records other interactions).
“Smart speakers and virtual assistants seem so unremarkable that, at times, we lose sight of their role in managing a smart home, as well as how much personal data they store. Por esta razón, hackers view these applications as entry points into people’s lives, through which they can access personal data, eavesdrop on conversations and perform other malicious activities without the user’s knowledge”, — says Oded Vanunu, head of the vulnerabilities research department at Check Point Software Technologies.
Actualmente, Amazon engineers have already patched all discovered vulnerabilities. Además, company representatives stated that they were not aware of any use of these problems or disclosure of any information about customers.
We have already many times talked about vulnerabilities in IoT devices, Por ejemplo, eso Kr00k problem threatens devices with Qualcomm and MediaTek Wi-Fi chips. The Internet of Things is becoming a part of everyday life and it is full of new dangers.
