• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 21st, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Surveillance
Privacy

Mainstream Live Chat widgets leaking personal details of employees

April 4th, 2018 Waqas Security, Privacy 0 comments
Mainstream Live Chat widgets leaking personal details of employees
Share on FacebookShare on Twitter

According to the findings of Project Insecurity researchers Cody Zacharias and Kane Gamble, live chat software from various, commonly used programs are plagued with information leaking vulnerabilities. The live chat software identified to be vulnerable includes the following:

LiveChat Software by LiveChatInc
Nuance’s TouchCommerce
LivePerson

However, researchers believe that these are not the only live chat programs that are affected and there might be other affected by the flaws. These live chat widgets are responsible for leaking personal details of company employees of probably hundreds of popular websites.

The sites managed by Google, Bank of America, Sprint, PayPal, Verizon, Bell, Spring, Kaspersky Lab, Disney, Tesla, Sony, Orange, TorGuard VPN, and Bitdefender are among those identified to be vulnerable.

All the identified live chat software, researchers claim, get affected in the same manner. Since live chat sessions involve the exchange of sensitive and important data between the agent and the user, therefore, it is an issue of great concern.

Leaked data includes employee’s name, email address and ID, supervisor and managers’ names and IDs, the location of the employee, center name and indication of the other software used by the employee. This data is leaked by examining the requests made during a live chat session.

The leak happens after an attacker manages to engage in a live chat session with a support staff employee. However, not every company’s employee data is leaked while the details acquired by attacker also vary from company to company. It mainly relies upon the way every business sets up its support widgets. It is also possible that no information is leaked.

Gamble and Zacharias state that the information being exposed is what a person would require to successfully perform social engineering attacks by impersonating as the employee through using the acquired data as it would be real and authentic.

This is massive!! If you haven’t seen it already, look at the PRELIMINARY sample of places this affected pic.twitter.com/F3Hyn3U8rT

— uɐpʇou@ ✸ (@notdan) April 3, 2018

“This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network,” wrote researchers in a post on Pastebin.

In a conversation with HackRead, Kane said that “He hopes the impacted parties will patch the flaw and learn how these vulnerabilities can harm them and their customers if exploited by malicious elements.”

Researchers did produce a proof-of-concept but out of the three abovementioned live chat services, only two were proved to be vulnerable while LivePerson could not be proved so. LiveChat, TouchCommerce, and LivePerson are serving a long list of firms across a variety of industries. The companies have been notified by Project Insecurity researchers but a patch hasn’t been released as yet.

The information leaking bug in the software exists primarily because companies do not prevent information about the person from being mentioned in the communication. The information leakage may also result from the way a website or company uses the software.

For more technical details visit the official post published by researchers on Pastebin.

Update:

LiveChat has tweeted that they are preparing for a patch based on the recent findings.

Hi! Thanks a lot for letting us know. We’re preparing a fix to make the personal data of employees impossible to expose while chatting via LiveChat. Our team is going to implement it as soon as possible. Once we are able to confirm that the fix works properly, we’ll let you know.

— LiveChat Status (@LiveChatStatus) April 4, 2018

Update #2

On Saturday morning (April 7, 2018), LiveChat confirmed that a security patch has been issued and now it will be impossible to expose the email address of employees while chatting via LiveChat. LiveChat also claims that the issue was of a far lesser significance compared to TouchCommerce since the leak only exposed email address of the agent you are chatting with.

  • Tags
  • : Chat
  • Google
  • Kaspersky
  • LEAKS
  • Paypal
  • Privacy
  • security
  • Technology
  • Tesla
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article 1000+ Magento sites hacked with cryptominers & credential stealing malware
Next article Cyber security developments: Keeping safe and up to date
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Malwarebytes says it was also breached by SolarWinds hackers

Malwarebytes says it was also breached by SolarWinds hackers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

22
Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping
Security

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

47
Malwarebytes says it was also breached by SolarWinds hackers
Hacking News

Malwarebytes says it was also breached by SolarWinds hackers

60

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us