Alexa can be hacked with a simple link
Another day, another security issue.
Last year, researchers discovered that Amazon’s Alexa can be hacked via a laser. This year, a group of researchers revealed another way to hack Amazon’s Alexa. This time they didn’t use any lasers, but methods known as Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS).
The research team behind this hack is known as Check Point Research. The team that revealed this vulnerability consists of three members: Yaara Shriki, Roman Zaikin, and Ikla Barda. They are specialized in collecting and analyzing cyber-attack data.
In their demonstrations, the Check Point Research team inserted a malicious link into Alexa camouflaged as a Skill installer. Then all that is left is for the unsuspecting user to click the link for the fake Skill. That will trigger a series of communications between the servers. From there, it is smooth sailing for the hacker that can easily extract the user’s personal information.
The hack revealed that hackers can collect important personal data such as IDs and access tokens. The data is extracted when the subdomains communicate with one another with the purpose to execute certain tasks.
So far, there isn’t an official response from Amazon and whether the company has managed to patch up this vulnerability. There are over 200 million Alexa-powered devices out in the wild that are potentially vulnerable to this hack.
- Amazon’s third-party problem legally becomes its actual problem
- Apparently, Amazon is looking to repurpose an abandoned mall near you
- How to set Alexa reminders to play across all of your Echo speakers at the same time
- New research shows over 1,000 phrases that can wake voice assistants like Siri and Alexa