Amazon Alexa ‘One-Click’ Attack Can Divulge Personal Data
A shocking new report by researchers at Check Point security exposes a critical vulnerability in Amazon’s Alexa virtual assistant platform that could be leveraged by attackers to access banking data history, home addresses, and other personally identifiable information. Check Point researchers found several web application flaws on Amazon Alexa subdomains that can be remotely exploited through a specially crafted Amazon link.
The flaws include a cross-site scripting bug and a cross-origin resource sharing misconfiguration. Check Point stated that securing virtual assistant devices is critical to maintaining privacy. The findings in the report were disclosed to Amazon in June of 2020, and the flaws were announced publicly today.