Mainstream Live Chat widgets leaking personal details of employees

According to the findings of Project Insecurity researchers Cody Zacharias and Kane Gamble, live chat software from various, commonly used programs are plagued with information leaking vulnerabilities. The live chat software identified to be vulnerable includes the following:

LiveChat Software by LiveChatInc
Nuance’s TouchCommerce
LivePerson

However, researchers believe that these are not the only live chat programs that are affected and there might be other affected by the flaws. These live chat widgets are responsible for leaking personal details of company employees of probably hundreds of popular websites.

The sites managed by Google, Bank of America, Sprint, PayPal, Verizon, Bell, Spring, Kaspersky Lab, Disney, Tesla, Sony, Orange, TorGuard VPN, and Bitdefender are among those identified to be vulnerable.

All the identified live chat software, researchers claim, get affected in the same manner. Since live chat sessions involve the exchange of sensitive and important data between the agent and the user, therefore, it is an issue of great concern.

Leaked data includes employee’s name, email address and ID, supervisor and managers’ names and IDs, the location of the employee, center name and indication of the other software used by the employee. This data is leaked by examining the requests made during a live chat session.

The leak happens after an attacker manages to engage in a live chat session with a support staff employee. However, not every company’s employee data is leaked while the details acquired by attacker also vary from company to company. It mainly relies upon the way every business sets up its support widgets. It is also possible that no information is leaked.

Gamble and Zacharias state that the information being exposed is what a person would require to successfully perform social engineering attacks by impersonating as the employee through using the acquired data as it would be real and authentic.

“This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network,” wrote researchers in a post on Pastebin.

In a conversation with HackRead, Kane said that “He hopes the impacted parties will patch the flaw and learn how these vulnerabilities can harm them and their customers if exploited by malicious elements.”

Researchers did produce a proof-of-concept but out of the three abovementioned live chat services, only two were proved to be vulnerable while LivePerson could not be proved so. LiveChat, TouchCommerce, and LivePerson are serving a long list of firms across a variety of industries. The companies have been notified by Project Insecurity researchers but a patch hasn’t been released as yet.

The information leaking bug in the software exists primarily because companies do not prevent information about the person from being mentioned in the communication. The information leakage may also result from the way a website or company uses the software.

For more technical details visit the official post published by researchers on Pastebin.

Update:

LiveChat has tweeted that they are preparing for a patch based on the recent findings.

Update #2

On Saturday morning (April 7, 2018), LiveChat confirmed that a security patch has been issued and now it will be impossible to expose the email address of employees while chatting via LiveChat. LiveChat also claims that the issue was of a far lesser significance compared to TouchCommerce since the leak only exposed email address of the agent you are chatting with.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.