Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack.
For an attacker to exploit the vulnerabilities, they would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon's infrastructure. By strategically directing users to track.amazon.com -- a vulnerable page not related to Alexa, but used for tracking Amazon packages -- the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target's cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.
The platform would mistake the attacker for the legitimate user, and the hacker could then access the victim's full audio history, list of installed skills, and other account details. The attacker could also uninstall a skill the user had set up and, if the hacker had planted a malicious skill in the Alexa Skills Store, could even install that interloping application on the victim's Alexa account.
Both Check Point and Amazon note that all skills in Amazon's store are screened and monitored for potentially harmful behavior, so it's not a foregone conclusion that an attacker could have planted a malicious skill there in the first place.
Check Point suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa's responses. "The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us."
An Amazon spokesperson told Wired: "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."