Researchers recently reported that live chat widgets used by several high-profile sites were leaking personal details of company employees. What data was being leaked by these live chat widgets and how can attackers use that information to successfully attack an organization?
Software integration is an important element of enterprise systems. Because enterprises may have a mission-critical piece of software that is core to their business, they might want ancillary systems to integrate with it to ensure that certain data is maintained or that consistent information is used when interacting with customers. These integrations are usually custom-developed and, for the integration to function properly, they require information to be embedded into the configuration.
When these integrations are internal, the risk of mistakes or vulnerabilities can be reduced. However, when these integrations are external-facing on the internet, the risk is higher. This may be an issue for enterprises that want to integrate cloud services with other systems.
Project Insecurity researchers Cody Zacharias and Kane Gamble recently published an advisory about some information disclosure vulnerabilities they found in the LiveChat software. These vulnerabilities in the live chat widgets seem to integrate with their customer's internal systems that are exposed to the internet.
The vulnerability also appears to expose configuration information in the HTML code on the webpage of the company's internal customer support applications. While the information exposed varies from enterprise to enterprise, it may include private information, such as employee names and ID numbers.
The most sensitive piece of information found by the researchers was the name of an employee's supervisor. Even though this type of information may be in an org chart or employee directory, it could still be used for social engineering with any other information gathered using open source intelligence.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Social media security risks
Related Q&A from Nick Lewis
A flaw was found in the Android installer for Fortnite and was patched within 24 hours. Learn how such a quick turnaround affects mobile app security... Continue Reading
Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively... Continue Reading
A Mozilla vulnerability duplicated in the Browser Reaper set of DoS proofs of concept caused Chrome, Firefox and Safari to crash. Learn why and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.