Recently, a new vulnerability has been detected in Amazon Alexa, by the researchers of Checkpoint cybersecurity. This vulnerability is marked as “critical” severity as it allows hackers to steal all personal data and remotely install skills.
This vulnerability has been detected on Thursday and confirms that the Amazon Alexa has been hijacked by the threat actors using Amazon’s ill-disposed links.
Alexa is an intelligent virtual assistant (IVA) software agent that can accomplish any tasks or services based on commands or questions done by any person. Amazon is developing Alexa; it has several amazing features like proficient of voice communication, music playback, setting alarms, and many other tasks.
Moreover, Alexa can also control the automatic home systems, and it has extra features like weather programs and audio features as well.
- Soundlessly install skills (apps) on a user’s Alexa account.
- Have a list of all installed skills on the user’s Alexa account.
- Silently eliminate an installed skill.
- Get the victim’s voice history with their Alexa.
- It could also have the victim’s data as well.
XSS Flaw in One of Amazon’s Subdomains
According to the Checkpoint Report, they have found the SSL pinning mechanism that has implemented on Alexa, and this has been blocking the experts from investigating the traffic.
The experts have to install a reliable Frida SSL universal unpinning script, as it will help them to bypass the SSL Pinning and to examine the traffic properly.
During the investgation they detected that the app had made many requests, and it had misconfigured the CORS system. It has been allowing the sending of Ajax calls from any other Amazon sub-domain.
This opportunity could enable the attackers with code-injection skills on one Amazon subdomain to implement the cross-domain attack on different Amazon subdomains.
This attack could be carried out in several ways, and the security experts have published them’ here they are mentioned below:-
- Initially, the user clicks on an ill-disposed link that leads them to amazon.com, where the threat actors apply the code-injection capability.
- Second, the threat actor sends a new Ajax call with the user’s cookies to amazon.com/app/secure/your-skills-page and gets a record of all installed skills on the Alexa account and the CSRF token in the reply.
- Third, the attacker utilizes the CSRF token to eliminate one basic skill form the list we obtained at the earlier level.
- Fourth, the attacker installs a skill with the same functionality as the deleted skill.
- Lastly, the user attempts to use the installed skills that are installed by the threat actors.
Alexa is used by several people nowadays, especially in smart homes, as this assistance Handel vacuum cleaner, A/C, Lights, and electric appliances. That’s why the experts are trying their best to resolve the whole issue.