A number of vulnerabilities have been revealed that have given attackers access to Amazon’s Alexa Smart home installation. The report comes from Check Point Security researchers which reveals a number of Amazon and Alexa subdomains were vulnerable to a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting (XSS). By using XSS, an attacker would be able to acquire a CSRF token that would provide them access to elements of the smart home installation.
Attackers could potentially install Alexa skills without the knowledge of the user, acquiring a list of all installed skills, silently removing installed skills, acquiring the victim’s voice history with Alexa, and to even gain personal information.
It is possible that attackers only need users to click on a malicious link once before gaining full access. Check Point Security responsibly disclosed the vulnerabilities to Amazon in June 2020, and the issues have since been fixed.
If you wish to remove your voice history you can follow our guide below:
1. Launch the Alexa app
2. Open Settings
3. Select Alexa Privacy
4. Review Voice History
You’ll see a list of all the requests you’ve made since setting up your Echo. You can choose the recordings you want to delete or tap Delete All Recordings for Today.
Once you press delete all recordings you will be presented with a confirmation box click yes and your information will be removed.