Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

In the News

Amazon has fixed a bug that allowed hackers to listen in on Alexa devices

7 May 2018 | By Kayla Matthews

Checkmarx was able to create a skill that allowed hackers to listen in on Echo devices and their users’ conversations. Amazon fixed the problem earlier this month, but the incident serves as a cautionary tale as our homes become more connected and voice assistant speakers become more common.

Checkmarx was able to create a skill that allowed hackers to listen in on Echo devices and their users’ conversations. Amazon fixed the problem earlier this month, but the incident serves as a cautionary tale as our homes become more connected and voice assistant speakers become more common.


</close>

Amazon Alexa is Hacked, Again; The Security of Users’ Personal Info Is Questioned

7 May 2018 | By Divya Nayak

As per Checkmarx Researchers, they were able to manipulate code within a built-in Alexa JavaScript library (ShouldEndSession) to pull off the hack. The JavaScript library is tied to Alexa’s orders to stop listening if it doesn’t hear the user’s command properly. Checkmarx’s tweak to the code simply enabled Alexa to continue listening, no matter the voice request order.

As per Checkmarx Researchers, they were able to manipulate code within a built-in Alexa JavaScript library (ShouldEndSession) to pull off the hack. The JavaScript library is tied to Alexa’s orders to stop listening if it doesn’t hear the user’s command properly. Checkmarx’s tweak to the code simply enabled Alexa to continue listening, no matter the voice request order.


</close>

Is Alexa spying on YOU? Security researchers reveal how the assistant’s code could be tweaked to create new ‘skill’ that lets it eavesdrop

7 May 2018 | By

Researchers at cybersecurity firm Checkmarx created what seemed to be a harmless calculator skill, or an application used for the voice-activated assistant, that would secretly record long after a user made a command.

Alexa-enabled devices are programmed to only respond and record interactions when they're prompted by a 'wake word', such as 'Echo,' 'Alexa' or 'computer'.

Researchers at cybersecurity firm Checkmarx created what seemed to be a harmless calculator skill, or an application used for the voice-activated assistant, that would secretly record long after a user made a command.

Alexa-enabled devices are programmed to only respond and record interactions when they’re prompted by a ‘wake word’, such as ‘Echo,’ ‘Alexa’ or ‘computer’.


</close>

Amazon’s Alexa had a flaw that let eavesdroppers listen in

7 May 2018 | By Alfred Ng

Alexa is a good listener -- so good, in fact, that researchers discovered a way to have it record audio indefinitely.

Amazon's smart voice assistant had a coding flaw that could have let malicious developers turn the Echo into a listening device.

Alexa, the voice assistant used by millions of smart gadgets including Amazon's popular Echo lineup, uses what it calls Skills to carry out commands. You ask if rain is coming, for example, and Alexa uses the "Weather" Skill to answer.

Alexa is a good listener — so good, in fact, that researchers discovered a way to have it record audio indefinitely.

Amazon’s smart voice assistant had a coding flaw that could have let malicious developers turn the Echo into a listening device.

Alexa, the voice assistant used by millions of smart gadgets including Amazon’s popular Echo lineup, uses what it calls Skills to carry out commands. You ask if rain is coming, for example, and Alexa uses the “Weather” Skill to answer.


</close>

Amazon’s Alexa had a slight eavesdropping flaw

7 May 2018 | By Joe Uchill

Researchers at the security firm CheckMarx discovered a security flaw in Amazon's Alexa voice enabled digital personal assistant that could have been used to eavesdrop and transcribe any ambient conversation.

But, there are caveats: The flaw requires a user to not only install, but also run a malicious app on Alexa, and not notice Alexa's trademark blue light never turns off. Amazon has now released a patch, meaning it is not an issue for up-to-date Alexa systems.

Researchers at the security firm CheckMarx discovered a security flaw in Amazon’s Alexa voice enabled digital personal assistant that could have been used to eavesdrop and transcribe any ambient conversation.

But, there are caveats: The flaw requires a user to not only install, but also run a malicious app on Alexa, and not notice Alexa’s trademark blue light never turns off. Amazon has now released a patch, meaning it is not an issue for up-to-date Alexa systems.


</close>

Flaw let Amazon Alexa record users without knowing

29 Apr 2018 | By Good Morning America

Researchers at cybersecurity firm Checkmarx say they found a flaw that could have let the smart speaker record users without them knowing it.

Researchers at cybersecurity firm Checkmarx say they found a flaw that could have let the smart speaker record users without them knowing it.


</close>

2018 Security 100: 20 Coolest Web, Email And Application Security Vendors

7 Mar 2018 | By Michael Novinson

Checkmarx in July unveiled its acquisition of Codebashing, an application security education company built by developers that uses gamification to train other developers. One month later, the company released an interactive application security testing platform that enables dynamic and continuous testing in real time with zero scan time, outstanding accuracy and seamless implementation.

Checkmarx in July unveiled its acquisition of Codebashing, an application security education company built by developers that uses gamification to train other developers. One month later, the company released an interactive application security testing platform that enables dynamic and continuous testing in real time with zero scan time, outstanding accuracy and seamless implementation.


</close>

Tinder Flaw Lets Anyone Snoop on Your Swipes

24 Jan 2018 | By Marshall Honorof

Israeli security firm Checkmarx released a report on the subject, entitled “Are You on Tinder? Someone May Be Watching You Swipe.” The paper covers two distinct and potentially troubling flaws. The first takes advantage of unsecured Tinder protocols; the second can discern what happens behind secured connections with a little basic math.

Israeli security firm Checkmarx released a report on the subject, entitled “Are You on Tinder? Someone May Be Watching You Swipe.” The paper covers two distinct and potentially troubling flaws. The first takes advantage of unsecured Tinder protocols; the second can discern what happens behind secured connections with a little basic math.


</close>

Tinder app can let people see who you match with and swipe left or right on

24 Jan 2018 | By Aatif Sulleyman

The vulnerabilities were uncovered by cyber security firm Checkmarx, which describes them as “disturbing”.

It discovered that the Tinder app lacks basic HTTPS encryption for profile pictures, allowing anyone using the same Wi-Fi network as you to see the same profiles you come across on the app.

Checkmarx also found that different actions within the app produce specific patterns of bytes that are recognisable even in encrypted form.

The vulnerabilities were uncovered by cyber security firm Checkmarx, which describes them as “disturbing”.

It discovered that the Tinder app lacks basic HTTPS encryption for profile pictures, allowing anyone using the same Wi-Fi network as you to see the same profiles you come across on the app.

Checkmarx also found that different actions within the app produce specific patterns of bytes that are recognisable even in encrypted form.


</close>

Hackers can see and edit your Tinder pictures and matches simply by joining the same Wi-Fi network as you

24 Jan 2018 | By Shivali Best

Researchers from Checkmarx have released a report titled ‘Are You on Tinder? Someone May Be Watching You Swipe’ in which they explain Tinder’s lack of HTTPS encryption.

The researchers built a proof-of-concept app called TinderDrift, that can reconstruct a user’s Tinder activity if the person is on the same Wi-Fi network.

Researchers from Checkmarx have released a report titled ‘Are You on Tinder? Someone May Be Watching You Swipe’ in which they explain Tinder’s lack of HTTPS encryption.

The researchers built a proof-of-concept app called TinderDrift, that can reconstruct a user’s Tinder activity if the person is on the same Wi-Fi network.


</close>