Findings published on Thursday by the security firm Check Point reveal that Alexa's web services had bugs that a hacker could have exploited to grab a target's entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack. "Virtual assistants are something that you just talk to and answer, and usually you don’t have in your mind some kind of malicious scenarios or concerns," says Oded Vanunu, Check Point's head of product vulnerability research. "But we found a chain of vulnerabilities in Alexa's infrastructure configuration that eventually allows a malicious attacker to gather information about users and even install new skills." For an attacker to exploit the vulnerabilities, she would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon’s infrastructure. By strategically directing users to track.amazon.com—a vulnerable page not related to Alexa, but used for tracking Amazon packages—the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target's cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page. Continua su https://www.wired.com/story/amazon-alexa-bug-exposed-voice-history-hackers/ Cattivi hacker cattivi! Hanno questo brutto vizio di ignorare i tabù che proteggono queste microspie^W apparecchiature dagli accessi non autorizzati (autorizzate dal produttore, non dal acquirente, ovviamente). Forse inizieremo ad avere sistemi ragionevolmente sicuri quando i produttori dovranno per legge premiare gli hacker e risarcire gli acquirenti con la stessa cifra, come minimo un migliaio di euro, ogni volta che i primi riescono a dimostrare la credulità dei secondi, mostrando quanto male spendono i propri soldi. Giacomo