Posted on
April 6, 2018 at
7:03 AM

experts have shone a light on an exploit that allows sensitive information on and their companies to be mined through widgets. Vulnerable sites are Google, several major , some internet service providers, and security .

In a recently published account, Project Insecurity revealed a very easy exploit in several customer care live chat services. These services are employed in the form of widgets by several major companies. Security experts Kane Gamble and Cody Zacharias say that the mined could be used to impersonate workers, and potentially infiltrate the vulnerable companies. Read their detailed account on Pastebin.

Affected services

Gamble and Zacharias have pinpointed the following chat services as being exploitable, while also stating that there are “many other” services with this vulnerability as well:

  • LiveChat Software owned by LiveChatInc,
  • TouchCommerce, recently acquired by Nuance Communications,
  • LivePerson

The companies who are using the above mentioned services are Bank of America and its division Merrill Lynch, Citizens Bank, Cox Communications, Bell, AT&T, Verizon, Orange, Sprint, Spring, Google Fiber, PayPal, software Kaspersky and BitDefender, TorGuard VPN, Tesla, Disney, and Sony. The security experts say that there are many more companies who also use the above-mentioned customer care services.

How the leaks happen

The exploit takes place in similar ways across all live chat widgets. Important pieces of identifying information on the employee and the company are revealed via POST requests during a chat session with an agent. While the exact type of exploited information varies from site to site and from company to company, the experts have so far mined the following pieces of information in their proof-of-concept method: the employee’s full name, location, identification, and email, their supervisor and manager, as well as their respective identification, the center’s name, and information on other programs operated by the agent, such as CoFEE, a tool used at Verizon to look up customer information.

In their Pastebin, Gamble and Zacharias provide examples of exploited information. They also state that the leak could only happen because there was no code preventing the sending of such pieces of identifying information.

Taking action

Security experts Zacharias and Gamble have already notified the affected live chat services and vulnerable companies, hoping for a swift .

In a series of tweets, LiveChat claims to have resolved the issue. However, there are no updates from the other companies as of yet.

Summary

Employees Info Leaked by Live Chat Programs  - wAAACwAAAAAAQABAEACAkQBADs  - Employees Info Leaked by Live Chat Programs

Article Name

Employees Leaked by Live Chat Programs

Description

In a recently published account, Project Insecurity revealed a very easy exploit in several customer care live chat services. These services are employed in the form of widgets by several major companies.

Author


Ali Raza

Publisher Name


Koddos

Publisher Logo





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here