The attack required users to click on a malicious link. The vulnerabilty was reported in June and has been patched by Amazon. But you never know.
"Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.
These vulnerabilities would have allowed an attacker to:
- Silently install skills (apps) on a user’s Alexa account
- Get a list of all installed skills on the user’s Alexa account
- Silently remove an installed skill
- Get the victim’s voice history with their Alexa
Get the victim’s personal information"