Learning From Alexa's Multipart Exploit

To kick off our first edition of “A Learning Opportunity”, we’re starting with a really clever exploit discovered by Check Point Research. The researchers were able to find 3 vulnerabilities that could be exploited in concert to install or uninstall Alexa skills and access user information (including voice history). All that was required on the user’s end was clicking a malicious link.


The first vulnerability the researchers discovered was a misconfiguration in the CORS configuration for several Alexa requests. The CORS policy was broader than it should have been, allowing requests from any Amazon subdomain. One of these requests also returned a CSRF token, which the researchers could then use to perform actions on behalf of the user.

Learn More About CORS

Learn More About CSRF Tokens


To exploit this, the researchers had to find an XSS vulnerability to make the requests from. Because of the misconfiguration, it could be on any of Amazon’s subdomains.

Looking at track.amazon.com, it takes two parameters: paginationToken and pageSize. If the pageSize variable contains a non-digit character, the server errors out and returns a 500 response. The response echos back these values of the parameters with content time text/html. That means that a script can be passed through the pageSize parameter and then will be executed.

Learn More About XSS

With the XSS found, the full attack flow would be:

  1. Victim is tricked into clicking a malicious link

  2. Victim is redirected to the tracking subdomain with the malicious script passed via the pageSize parameter

  3. The malicious script hits the Alexa endpoint that returns a CSRF token

  4. Using that token the script performs whatever actions the bad actor wants

Takeaways

  1. Narrow down settings as much as possible. In this case, the CORS permissions being too wide increased the risk of finding a XSS vulnerability from somewhere that can hit the Alexa endpoints

  2. Always keep XSS in mind when handling user input. This was a relatively obscure way the input was being injected, which just proves the point that you need to examine your code critically


That’s it for this edition. If you have any feedback on the formatting of the message or suggestions for vulnerabilities to break down, feel free to contact me on Twitter.

Please share this newsletter with your friends and co-workers!