A link was enough to undermine Alexa

An alert regarding Alexa arrives from the Check Point Research team: Amazon's virtual assistant and the ecosystem of skills that have contributed to its success up to now have been affected by a vulnerability potentially capable of compromising not only the experience of use, but also the privacy of users who are victims of potential attacks. Fortunately, everything is now solved.

A vulnerability for Amazon Alexa (now solved)

From what emerged, a malicious link to the official website was sufficient, perhaps sent via email and disguised as a link to an offer in progress or for the download of an application, to start the execution of some actions without the knowledge of the victim:

silently install new skills; obtain a list of the skills connected to the account; remove an installed skill; obtain the history of the voice commands given by the user; obtain the user's personal information.

The techniques used were Cross-Origin Resource Sharing (CORS) and Cross-Site Scripting (XSS). The researchers revealed the details of the flaw only today, after Amazon intervened, as mentioned at the beginning, by correcting what is necessary to ensure the safe operation of Alexa. The notification of Check Point Research to the Bezos group dates back to June.

In any case, it is yet another testimony of how the increasingly widespread diffusion of devices linked to smart homes and the Internet of Things, not only those of the Echo range, is accompanied by a multiplication of threats affecting these areas.