
Amazon error allowed Alexa user to eavesdrop on another home - danso
https://www.reuters.com/article/us-amazon-data-security/amazon-error-allowed-alexa-user-to-eavesdrop-on-another-home-idUSKCN1OJ15J
======
jaclaz
It would be interesting to know the details on the way the "link" worked.

I mean, if a common Facebook employee (very likely a first level assistance
worker or maybe his/her supervisor) could actually locate (making a mistake,
but that is something that can happen, unfortunately) the recordings and
provide a link to them, the questions are IMHO:

1) how (exactly) are the recordings conserved? (i.e. encrypted or unencrypted,
or encrypted with a sort of "master" password that anyone working for Amazon
Alexa department in customer care knows)

2) how was the link shared to the (wrong in this case) customer? (i.e. was it
a "generic" link that anyone could find and access, did it need an Amazon
login of some kind, etc.)

~~~
dopylitty
I wouldn't be surprised if they were using S3 presigned URLs[0]. I could
imagine a Lambda based customer service app which would pull a customer's
recordings from wherever they're stored, package them up, and then drop them
in an S3 bucket and generate a presigned URL which gets returned to the
customer service app. Then I would also not be surprised if a customer support
rep just grabbed the wrong link.

[0]
[https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectP...](https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html)

