April 6, 2018 at
Security experts have shone a light on an exploit that allows sensitive information on employees and their companies to be mined through live chat widgets. Vulnerable sites are Google, several major banks, some internet service providers, and security software.
In a recently published account, Project Insecurity revealed a very easy exploit in several customer care live chat services. These services are employed in the form of widgets by several major companies. Security experts Kane Gamble and Cody Zacharias say that the mined data could be used to impersonate workers, and potentially infiltrate the vulnerable companies. Read their detailed account on Pastebin.
Gamble and Zacharias have pinpointed the following chat services as being exploitable, while also stating that there are “many other” services with this vulnerability as well:
- LiveChat Software owned by LiveChatInc,
- TouchCommerce, recently acquired by Nuance Communications,
The companies who are using the above mentioned services are Bank of America and its division Merrill Lynch, Citizens Bank, Cox Communications, Bell, AT&T, Verizon, Orange, Sprint, Spring, Google Fiber, PayPal, antivirus software Kaspersky and BitDefender, TorGuard VPN, Tesla, Disney, and Sony. The security experts say that there are many more companies who also use the above-mentioned customer care services.
How the leaks happen
The exploit takes place in similar ways across all live chat widgets. Important pieces of identifying information on the employee and the company are revealed via POST requests during a chat session with an agent. While the exact type of exploited information varies from site to site and from company to company, the experts have so far mined the following pieces of information in their proof-of-concept method: the employee’s full name, location, identification, and email, their supervisor and manager, as well as their respective identification, the center’s name, and information on other programs operated by the agent, such as CoFEE, a tool used at Verizon to look up customer information.
In their Pastebin, Gamble and Zacharias provide examples of exploited information. They also state that the leak could only happen because there was no code preventing the sending of such pieces of identifying information.
Security experts Zacharias and Gamble have already notified the affected live chat services and vulnerable companies, hoping for a swift patch.
In a series of tweets, LiveChat claims to have resolved the issue. However, there are no updates from the other companies as of yet.
— LiveChat Status (@LiveChatStatus) March 20, 2018