Dick Morrell: Amazon Users Advised to Reset Passwords Amid Echo Privacy Concerns (opens in new tab)

(sackheads.social)

27 pointsnour_2y ago11 comments

11 comments

If the vulnerability can't be revealed for "ethical" reasons, that implies it's ongoing... so what would a reset do? Wouldn't the newly reset credentials be just as vulnerable until fixed?

1970-01-012y ago

Keep changing it until he says it's OK to stop. /sarcasm

dgrin912y ago

Dupe of https://news.ycombinator.com/item?id=35710854

nour_OP2y ago

Dick Morrell urgently advising Amazon users to sign out of all devices, reset their passwords, and delete 2FA tokens due to an unspecified security issue. The issue appears to be related to Amazon Echo devices, which have been accused of scanning users' Wi-Fi networks and sending detailed profiles of network equipment back to Amazon. The code for this functionality is allegedly contributed by the US National Security Agency, raising concerns about privacy and unauthorized surveillance. Users are encouraged to take immediate action to protect their accounts and devices, as the full extent of this security problem is still unclear.

MiguelHudnandez2y ago

It's unclear if he's also recommending to leave echo devices disconnected, or just cycling the auth info.

Based on what he's sharing now, there are hints of two issues:

1) authentication information including MFA secrets might be leaked and need to be cycled. (this would be surprising)

2) Echo devices perform undisclosed reconnaissance on nearby wifi networks (not particularly surprising)

These seem like totally separate issues with different impacts and different mitigation techniques.

zamnos2y ago

What do you mean undisclosed?

It's totally right there! Right in the privacy policy no one read, on page 53, in size 2 font, in the cellar, in the display department, in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.'

1 more reply

rideontime2y ago

This user appears to be generating comments with GPT.

1vuio0pswjnm72y ago

To view this and other Mastodon toots without Javascript add "/embed" to the left side of URL.

https://sackheads.social/@Cloudguy/110256617380917383/embed

nathanaldensr2y ago

Who is Dick Morrell? This Twitter thread seems discombobulated, although I admit I am quite tired at the moment. Does this only apply to people who use Echo? Is it all Amazon users? Why does deleting 2FA help? Is Amazon storing passwords in clear text?

panarky2y ago

He doesn't say the issue is limited to Echo devices.

Yes, Echos are scanning wifi and phoning home details you didn't authorize, which is a bad thing but not the issue here.

Morrell says the issue is with all retail Amazon accounts (possibly not AWS-only accounts.)

j / k navigate · click thread line to collapse