An Amazon spokesman, confirmed the information of the Check Point and stressed that the errors were fixed now. "We appreciate the work of independent researchers such as Check Point, which make us to potential problems. We have fixed the vulnerability immediately, after we have learned – and will continue to strengthen our systems.“ Amazon are not aware of any cases "in which this weakness to the detriment of our customers has been exploited, or customer information".
Also, Tiktok, Whatsapp and Fortnite
The vulnerabilities were, according to Check Point, not on the speakers themselves, but in the Online infrastructure of Amazon. So you have to be able to certain Internet Domains, Amazon and Alexa, with a so-called Cross Site Scripting attack. The researchers were also able to get the authorization key ("CSRF-Token") to intercept, and thus actions in the name of the victim.
With these methods, an attacker would have been able to remove, among other things, on the Alexa-the account of a victim's programs ("Skills"), or re-install. Possible had been also, on the voting history of the Amazon customers to access and steal personal information about the user's interactions with each of the programs. "An attack would be only a single click of a supposed Amazon Link requires that was created by the attacker in order to be successful."
Amazon have quickly reacted to the disclosure of these vulnerabilities on certain Amazon and Alexa Subdomains, said Check Point. "We hope that manufacturers of similar devices will follow the example of Amazon and their products for vulnerabilities check, which could jeopardize the privacy of the user." Similar security research have carried out the Check Point already about Tiktok, Whatsapp and Fortnite and "alarming results" obtained. The company did not want to say, what are the weaknesses, these were exactly.Updated Date: 13 August 2020, 15:20