Amazon Alexa

More than a decade ago, Amazon launched its Prime membership service with the promise of free two-day shipping. The unique offer helped attract millions of subscribers, shifted consumer expectations for shopping convenience and forced other large retailers to try to catch up.

(CNN) -- Amazon's Alexa and Google Home's smart assistant were vulnerable to a security issue that could have allowed hackers to eavesdrop on people without their knowledge or entice users to hand over sensitive information, researchers say.

Security Research Labs, a hacking research firm, said it discovered the flaw earlier this year and reported it to Amazon and Google. On Sunday, the firm posted a series of videos demonstrating how someone could exploit it.

Amazon and Google told CNN Business the security issue has since been fixed.

The findings were first reported by tech site ZDNet.

With the latest issue, SRLabs found hackers could have exploited the access Amazon and Google give third-party app developers to improve apps. Hackers could have used this access to customize commands that trigger a response from a home assistant.

In videos posted to YouTube, SRLabs showed how an app that works with Alexa or Google's voice assistant could be programmed by a hacker. In one demo, a user opened an app via a voice command and was told it does not run in their country. The voice assistant was then silent. However, unbeknownst to the user, it continues to run in the background, listening for prompts. After a few minutes, the voice assistant said there was a company update and asked the user to say their password.

Amazon and Google assistants do not ask users to reveal passwords when working correctly.

There doesn't appear to be evidence that any hackers actually carried out the manipulation to the voice assistants.

An Amazon spokesperson told CNN Business the company "quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified."

Google said it also promptly fixed the issue, noting it prohibits and removes any action that violates its policies.

"We have review processes to detect the type of behavior described in this report, and we removed the actions that we found from these researchers. We are putting additional mechanisms in place to prevent these issues from occurring in the future," a spokesperson said.

The-CNN-Wire™ & © 2019 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.

Recommended for you

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.