Can exploit the voice assistant Alexa (Alexa) of company Amazon is to deliver the user data due to security holes in the sub-folders of the service.
The plugin was smart, born in devices, such as (Amazon Echo) and (Echo Dot), prone to attackers who are looking for personally-identifiable information to the user (PII) and audio recordings.
She said (Check Point): the security problems caused by the scope of Amazon’s Alexa subsidiary to prepare for the wrong share resources cross-origin (CORS) attacks scripting cross-site scripting (XSS).
Identified researchers (Check Point) security vulnerability by conducting tests using the Assistant application Amazon voice, and they found that many of the requests made by the application policy setup error allow to send requests from any subdomain of Amazon.
This allows attackers who have the potential injection of code within the scope of one sub-implementation of an attack across the board on a subdomain of another of Amazon.
As proof of concept, it took researchers back in the Amazon subsidiary to take advantage of cookies and the policy configured wrong to make adjustments to the accounts to Alexa.
They designed a novel face to the victims of illusion to (track.amazon.com), which researchers can submit their applications contain cookies of the victim to the address of the site displays lists of apps audio installer on the accounts of the Alexa of the victims.
The researchers used after that token to remove the application of the common menus and install the application harmless through the activation phrase itself for the deleted.
In this way, the victims who use the words of activation occupying inadvertently applied to the attacker’s malicious.
Found (Check Point) during tests that the phone numbers and home addresses and the names of the users scored the banking data can be stolen by the theory.
And registration Amazon login data source, but is recorded user interactions, however, the Alexa transmits the information to the bank quickly in the records.
A spokesman for Amazon said in a statement: security is our top priority, and we appreciate the work of independent researchers, such as (Check Point), who shows us the potential problems.
He added, “We fixed this problem shortly after the draw to our attention, and we continue to enhance our systems, we are not aware of the existence of any cases of exploitation of this vulnerability against our customers or disclose any private information to the client”.
The researchers wrote in a blog: is the use of helpers virtual in smart home development in the devices of the Internet of things daily, such as bulbs, air conditioners, vacuum cleaners, electricity, entertainment, its popularity has grown in the past decade to play a role in our daily lives, it seems that with the development of technology, they will become more prevalent.
They added “Given that the helpers virtual working today as the entry point to the home appliance retail controllers in the devices, it has become to secure these points is critical, while maintaining user privacy as a top priority”.
I found a study conducted by researchers of the Faculty of computing at the University of Clemson that the privacy policies applied to Amazon’s Alexa ranking assistant Google is often problematic and violates the basic requirements.