Researchers disclosed flaws in Amazon Alexa that could allow attackers to access personal data and install skills on Echo devices. An attacker could remotely exploit these vulnerabilities by sending a specially crafted Amazon link. Amazon fixed the security issues, and researchers publicly disclosed the flaws on Thursday. In a real-world attack, a bad actor would first convince an Alexa user to click on a malicious link, which then directs them to Amazon where the attacker has code-injection capabilities. From there the attacker could get a list of the apps installed on Alexa and the user s token.
Source: https://threatpost.com/amazon-alexa-one-click-attack-can-divulge-personal-data/158297/