A flaw discovered within virtually any Alexa account was able to provide access to the victim’s personal data. The loophole, already fixed by Amazon, was exploited by hackers with the help of a malicious link that was clicked by the user and that was very similar to something official from Jeff Bezos’ company.
Alexa, unlike what its main competitors like Google Assistant and Siri offer, allows new functions to be added in a kind of extension and which are called by Amazon skills. They range from adding commands to the smart home, to games like Akinator, Show of the Million and even podcasts that can be played on smart speakers.
A loophole in subdomains of Amazon and Alexa aimed precisely at this capacity, at least that’s what the security company Check Point discovered. Once the link was clicked, the hacker could access the victim’s personal data such as purchase history, phone number and physical address, extract all of Alexa’s voice history and also view the list of skills, as well as install or uninstall any from them.
The biggest risk in this attack is precisely the growing presence of Alexa-compatible speakers. It is basically them that the voice history comes from and in Brazil we already have many models, such as the entire Echo line from Amazon itself and other partners, such as Izy Speak from Brazilian Intelbras and headphones from Sony, even going to the latest TVs from LG and Samsung, who bring the onboard assistant.
The positive side of this alert is that Amazon says it has already fixed the flaw and it can no longer be exploited by hackers.
With information: Check Point.