Catalin Cimpanu, ZDNet:

Hackers can abuse Amazon Alexa and Google Home smart assistants to eavesdrop on user conversations without users’ knowledge, or trick users into handing over sensitive information.

And regarding the word “again” in the headline:

The attacks aren’t technically new. Security researchers have previously found similar phishing and eavesdropping vectors impacting Amazon Alexa in April 2018; Alexa and Google Home devices in May 2018; and again Alexa devices in August 2018.

Whack-a-mole. Amazon and Google respond to attacks with countermeasures, new attacks pop up.

As to the specifics, watch the videos embedded in the linked article. The phishing attack asks you for your password. Though there are some people who might actually respond to this, I’d guess most users would instantly get the evil intent here. But still, the fact that such an action exists, that it passes muster enough to be demo-able, does give me pause.

More troubling is the eavesdropping issue shown in the second set of videos. The fact that an action continues, even after you ask Alexa/Google to stop, does seem like it should not be allowed to happen.

Is this lack of security the price you pay for customizable actions?