A vulnerability in various Amazon subdomains would have allowed hackers to snoop at the recorded voice histories of Alexa users, potentially exposing personal information, according to a team of researchers.
Check Point Research says the security hole, which has since been patched, would also have allowed attackers to surreptitiously install or delete Alexa skills on a user’s account, get a list of a user’s installed Alexa skills, or request a user’s home address or other personal information stored in their profile.
An Alexa user would have simply needed to click a single malicious Amazon link to fall victim to the attack, according to the researchers.
In its report, Check Point noted that certain Amazon subdomains were “vulnerable to Cross-Origin Resource Sharing misconfigurations” as well as cross-site scripting (XSS), a security hole that allows hackers to inject malicious JavaScript into otherwise trusted web applications.
Check Point said that it warned Amazon about the vulnerability back in June and that Amazon quickly patched the bug.
The now-fixed Alexa security hole serves as yet another example of how hackers can exploit vulnerabilities in voice assistants such as Alexa and Google Assistant to gain access to your personal information, as well as underlining the need to frequently wipe your recorded voice histories.
Both Alexa and Google Assistant have tools that, once enabled, will automatically delete voice recordings after either 18 or three months. You can learn how to turn those tools on by reading this article.
You can also ask Alexa or Google Assistant to delete your recent voice history. For example, you can say, “Alexa, delete everything that I said today,” or “Hey Google, delete this week’s activity.”
To delete your entire Alexa voice history at once, open the Alexa app, tap More > Settings > Alexa Privacy > Review Voice History, select All History in the Date Range menu, then tap Delete All Recordings for All History.
To do the same for Google Assistant, open the Google Home app, tap your profile image, then tap Assistant settings > Your data in the Assistant > Assistant activity, select All time from the Delete menu, then tap the Delete button.