Your Alexa account could have been hacked with one nasty link

An Amazon Echo Dot smart speaker
(Image credit: Tom's Guide)

A range of alarming flaws affected Amazon’s cloud-based virtual-assistant service Alexa, security researchers have discovered.

The flaws made it possible for cyber crooks to change Alexa skills, listen to Alexa voice recordings and gain access to user personal data.

Easily exploitable 

Identified by security-software firm Check Point, these vulnerabilities affected specific subdomains used by Amazon and Alexa. The flaws existed on Amazon's servers, not on Amazon Echo devices or other Alexa-enabled devices.

Check Point warned that there were "a few different ways" that these flaws could have been exploited.

One way would have been to create a malicious page on the Amazon.com or Alexa.com domains and then distribute a link to that page for victims to click. The malicious page would have captured a specific type of authorization token, which then would have granted the attacker access to the victim's Alexa account.

From there, Check Point said, the attacker could have deleted an installed Alexa app and replaced it with a malicious app of the same name. The malicious app would execute when the victim next called for it using an Alexa device.

“The attack only required a single click by the user on a malicious link crafted and sent by the hacker, and voice interaction by the victim,” warned the security firm in a press release.

Alexa is one of the world’s most popular AI assistants, boasting tens of millions of users across the world. People use the service for listening to music, managing their calendar, operating smart home products and other reasons. 

However, with such a large user base and treasure trove of voice data, Check Point warned that Alexa has become an “attractive target for hackers”.

Oded Vanunu, head of products vulnerabilities research at Check Point, said: “Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. 

“But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware.”

Different malicious actions

By distributing links that look like they were created by Amazon and led to a malicious page on the Amazon.com or Alexa.com domains, but were created by attackers, users could be easily convinced to click on them. This would allow hackers to perform myriad malicious actions.

Check Point said hackers could do things like:

  • Access a victim’s personal information, such as banking data history, usernames, phone numbers and home address  
  • Extract and listen to a victim’s voice history with their Alexa
  • Silently install Alexa skills (apps) on a user’s Alexa account
  • View the entire skill list of an Alexa user’s account
  • Silently remove an installed skill to stop it working

Check Point has since reported the vulnerabilities to Amazon, and they have now been fixed.

“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy," Check Point said. "Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. 

Shortly after this story was originally published, Amazon reached out to Tom's Guide with the following statement to confirm the vulnerability was fixed.

“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," said an Amazon spokesperson over email. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

  • Read more: Discover the very best Amazon deals you can get right now

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Smart Home
Amazon Echo (4th-gen)
Amazon is removing this privacy feature from its Echo smart speakers on March 28 — what you need to know
HomePod with display concept render
Apple HomePod with display now rumored for late 2025 launch
Schneider Electric Pulse home energy panels.
The Smart Home Upgrade You’ve Been Missing
An Echo Show 10 with the Alexa Plus logo displayed on screen
Alexa+ — I have 4 big questions about Amazon's new AI assistant
An Abode home security menu on a TV screen
Abode now lets you check in on your smart home security system right from your Apple TV
Reolink Altas PT Ultra attached to side of home
Reolink Altas PT Ultra review: Long battery life and crisp 360-degree footage
Latest in News
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Sony A95K QD-OLED TV in front of windows in a living room
This new TV breakthrough looks like a game-changer for OLED TVs
Apple iPhone 16 & 16 Plus hands-on.
Forget USB-C — a truly portless iPhone just got the all-clear from the EU
Samsung Galaxy Z Flip 6 features on outer cover display
Samsung Galaxy Z Flip FE may arrive 'months' after the Z Flip 7 — here's why
ExpressVPN logo above mobile devices
ExpressVPN lays off undisclosed number of employees