Beautiful Virgin Islands

Monday, Sep 01, 2025

Amazon Alexa security bug allowed access to voice history

Amazon Alexa security bug allowed access to voice history

A flaw in Amazon's Alexa smart home devices could have allowed hackers access personal information and conversation history, cyber-security researchers say.

Attackers could install or remove apps on a device without the owner knowing, Check Point Research reports.

The hack "required just one click on an Amazon link" purposely crafted by the attacker, it says.

The firm told Amazon about the flaw, which has now been fixed.

Amazon said: "The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us."

It said it did not know of any case where a bad actor had used the vulnerability to target its customers.

In January, Amazon said there were "hundreds of millions" of Alexa devices in the world.

Malicious skills


Check Point said the hack required the creation of a malicious Amazon link, which would be sent to an unsuspecting user.

Once they clicked the link, the attacker could get a list of all installed Alexa "skills" - or apps - and steal a token allowing them add or remove skills.

One way to use the flaw would be to remove a skill and then install a malicious one that uses the same "invocation phrase" - the series of spoken words used to trigger it. This could have been done without the user knowing.

The next time the user tried to activate that skill, it would have run the attacker's app instead.

The attackers would have been able to see Alexa's voice history - a record of conversations between the user and device.

Check Point said this could create major problems, pointing to banking skills that let the user check their account balance.

"This could lead to exposure of personal information, such as banking data history," they argued - even though it does not save banking login details.

Amazon objected to this suggestion, however, saying that banking information - like balances - was redacted in the record of Alexa's responses, so it could not have been accessed.

The attack would also allow access to personal information in the Amazon profile, such as a home address, Check Point said.

Amazon also said it believed the use of a secret malicious skill was less likely than Check Point's researchers implied.



Amazon’s head of Alexa Dave Limp on privacy concerns



It said there were systems in place to prevent malicious skills from ever hitting the Alexa Skills Store - and that security reviews were part of their process.

Badly behaving apps were also routinely deactivated, it said.

"Their screening process probably would have caught most bad actors - they are quite good at that and know their reputation is at stake," said University of Surrey cyber-security expert Prof Alan Woodward.

"The thing about this hack was that it was due to a vulnerability that is well-known… so it's surprising to see it in Amazon's estate."

He said the access to voice records was a big concern, but was unsure if other hackers could have known about the vulnerabilities in specific subdomains used to launch the attack.

"Although if the security researchers found it, I'm sure less scrupulous people could have done the same."

Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
Chinese and Indian Leaders Pursue Amity Amid Global Shifts
European Union Plans for Ukraine Deployment
ECB Warns Against Inflation Complacency
Concerns Over North Cyprus Casino Development
Shipping Companies Look Beyond Chinese Finance
Rural Exodus Fueling European Wildfires
China Hosts Major Security Meeting
Chinese Police Successfully Recover Family's Savings from Livestream Purchases
Germany Marks a Decade Since Migrant Wave with Divisions, Success Stories, and Political Shifts
Liverpool Defeat Arsenal 1–0 with Szoboszlai Free-Kick to Stay Top of Premier League
Prince Harry and King Charles to Meet in First Reunion After 20 Months
Chinese Stock Market Rally Fueled by Domestic Investors
Israeli Airstrike in Yemen Kills Houthi Prime Minister
Ukrainian Nationalist Politician Andriy Parubiy Assassinated in Lviv
Corporate America Cuts Middle Management as Bosses Take On Triple the Workload
Parents Sue OpenAI After Teen’s Death, Alleging ChatGPT Encouraged Suicide
Amazon Faces Lawsuit Over 'Buy' Label on Digital Streaming Content
Federal Reserve Independence Questioned Amid Trump’s Push to Reshape Central Bank
British Politics Faces Tumultuous Autumn After Summer of Rebellions and Rising Farage Momentum
US Appeals Court Rules Against Most Trump-Era Tariffs
UK Sought Broad Access to Apple Users’ Data, Court Filing Reveals
UK Bank Shares Dive Over Potential Tax on Sector
Germany’s Auto Industry Sheds 51,500 Jobs in First Half of 2025 Amid Deepening Crisis
Bruce Willis Relocated Due to Advanced Dementia
French and Korean Nuclear Majors Clash As EU Launches Foreign Subsidy Probe
EU Stands Firm on Digital Rules as Trump Warns of Retaliation
Getting Ready for the 3rd Time in Its History, Germany Approves Voluntary Military Service for Teenagers
Argentine President Javier Milei Evacuated After Stones Thrown During Campaign Event
Denmark Confronts U.S. Diplomat Over Covert Trump-Linked Influence in Greenland
Starmer Should Back Away from ECHR, Says Jack Straw
Trump Demands RICO Charges Against George Soros and Son for Funding Violent Protests
Taylor Swift Announces Engagement to NFL Star Travis Kelce
France May Need IMF Bailout, Warns Finance Minister
Chinese AI Chipmaker Cambricon Posts Record Profit as Beijing Pushes Pivot from Nvidia
After the Shock of Defeat, Iranians Yearn for Change
Ukraine Finally Allows Young Men Aged Eighteen to Twenty-Two to Leave the Country
The Porn Remains, Privacy Disappears: How Britain Broke the Internet in Ten Days
YouTube Altered Content by Artificial Intelligence – Without Permission
Welcome to The Definition of Insanity: Germany Edition
Just a reminder, this is Michael Jackson's daughter, Paris.
Spotify’s Strange Move: The Feature Nobody Asked For – Returns
Manhunt in Australia: Armed Anti-Government Suspect Kills Police Officers Sent to Arrest Him
China Launches World’s Most Powerful Neutrino Detector
How Beijing-Linked Networks Shape Elections in New York City
Ukrainian Refugee Iryna Zarutska Fled War To US, Stabbed To Death
Elon Musk Sues Apple and OpenAI Over Alleged App Store Monopoly
2 Australian Police Shot Dead In Encounter In Rural Victoria State
Vietnam Evacuates Hundreds of Thousands as Typhoon Kajiki Strikes; China’s Sanya Shuts Down
UK Government Delays Decision on China’s Proposed London Embassy Amid Concerns Over Redacted Plans
A 150-Year Tradition to Be Abolished? Uproar Over the Popular Central Park Attraction
×