Some Amazon and Alexa subdomains were vulnerable to attack, meaning hackers could have accessed users' voice history on Alexa devices, install third-party apps, and access personal information.
By exploiting cross-origin resource sharing (CORS) misconfiguration, as well as cross-site scripting (XSS) to get a unique CSRF token, hackers were able to perform actions on Alexa devices on a victims’ behalf.
These flaws, which were reported in June and subsequently fixed, could have allowed an attacker to install third-party apps (or skills), get a list of installed apps, remove an installed app, get a victim’s voice history, and access their personal information.
When testing with the Alexa mobile application, researchers with Check Point Research noticed an SSL pinning mechanism which prevented them from inspecting traffic. This was bypassed using a universal unpinning script, with researchers viewing traffic in plain text.
“While looking at the traffic of the application, we found that several requests made by the app had misconfigured the CORS policy, ultimately allowing the sending of Ajax requests from any other Amazon sub-domain,” said security researchers Dikla Barda, Roman Zaikin and Yaara Shriki.
“This could potentially have allowed attackers with code-injection capabilities on one Amazon subdomain to perform a cross-domain attack on another Amazon subdomain.”
One of the requests returned a list of all installed skills on the Alexa device, and also returned the CSRF token. This token was then used to perform actions, such as installing and enabling new skills remotely.
RELATED RESOURCE
The researchers needed to exploit the XSS vulnerability in one of Amazon’s sub-domains for the attack to succeed and use the victim’s identification cookies. From there, they could exploit the CSRF attack and CORS misconfiguration, and perform actions on behalf of the victim on their Alexa account.
Alarmingly, the attack could’ve been conducted using a single malicious link that would direct a victim to the Amazon website, where the attacker had code-injection capabilities. From there, they could conduct various actions including stealing voice history and personal data.
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," an Amazon spokesperson said.
"We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
Netgear WBE710 reviewReviews The compact WBE710 delivers great cloud management features and a good turn of Wi-Fi 7 speed – but it does have a premium price tag
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
Hackers are turning Amazon S3 bucket encryption against customers in new ransomware campaign – and they’ve already claimed two victimsNews Attackers are using AWS’ server-side encryption to conduct ransomware attacks
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
