One click on the wrong link may (or could have been) enough to have your Alexa account hacked, according to security researchers at Check Point. All an attacker had to do was induce the user to follow the malicious link to Amazon (therefore apparently legitimate), for example by inviting him to install a new skill.
With no need for other interactions, a series of "invisible" passages between online servers would have allowed attackers to obtain some crucial details, such as token codes and unique identifiers, that their smart smeaker or smart display uses to communicate with remote servers.
These codes can allow hackers to gain access to the user's account, and from there combine all sorts of harm – from installing or removing certain skills to theft of sensitive personal information (including the history of voice interactions between the user and the virtual assistant). Interestingly, the vulnerability lies not in devices, but in some subdomains of Alexa's web servers:
Our investigations show that some Amazon / Alexa subdomains were vulnerable to misconfigurations of CORS (Cross-Origin Resource Sharing) and XSS (Cross-Site Scripting). Using XSS we were able to conduct a Cross-Site Request Forgery (CSRF) attack and perform actions on behalf of the victim.
Amazon has already corrected the problem, after Check Point notified it around June 2020. There is no evidence that any attacker actively exploited this vulnerability.
Apple's smallest TOP of the range? Apple iPhone SE, on offer today by Mobzilla at 400 euros or by Media World at 479 euros.